openldap-software

openldap-software@openldap.org

2719 discussions

problem with ldif; please help
by JOYDEEP 16 May '07

16 May '07

Dear list, I like to have a multidomain structure in openLDAP. below is my ldif but slapadd reports error because of the domain mis-configuration. could any one kindly help me to fix the problem ? ----------------------------------------------------------------------------- dn: dc=linux,dc=box ObjectClass: dcObject dc: linux structuralObjectClass:dcObject dn: o=kolkata.in,dc=linux,dc=box objectClass: domain o: kolkata.in structuralObjectClass: domain dn: ou=adrbook-kol,o=kolkata.in,dc=linux,dc=box ou: adrbook-kol objectClass: top objectClass: organizationalUnit structuralObjectClass: organizationalUnit dn: ou=Users,o=kolkata.in,dc=linux,dc=box ou: Users objectClass: top objectClass: organizationalUnit structuralObjectClass: organizationalUnit dn: ou=Groups,o=kolkata.in,dc=linux,dc=box ou: Groups objectClass: top objectClass: organizationalUnit structuralObjectClass: organizationalUnit dn: o=delhi.in,dc=linux,dc=box objectClass: domain o: delhi.in structuralObjectClass: domain dn: ou=adrbook-del,o=delhi.in,dc=linux,dc=box ou: adrbook-kol objectClass: top objectClass: organizationalUnit structuralObjectClass: organizationalUnit dn: ou=Users,o=delhi.in,dc=linux,dc=box ou: Users objectClass: top objectClass: organizationalUnit structuralObjectClass: organizationalUnit dn: ou=Groups,o=delhi.in,dc=linux,dc=box ou: Groups objectClass: top objectClass: organizationalUnit structuralObjectClass: organizationalUnit -----------------------------------------------------------------------------------

4 10

(raise question again) how to configure LDAP to allow each logged-in user to modify the subtree of the current user?
by Zhang Weiwu 16 May '07

16 May '07

Dear list I've posted this question before. Maybe it's my bad English but I didn't get a solution nor an answer of "it's impossible" too so I just post again (yes I knew people answer me for free and for being kind and I am really thankful for all feedback) Is it possible to define ACL that every user who successfully bind-ed (logged in) that this user can modify their own entry as well as the sub entries of them? e.g. dn: ou=support,xxx if one connection is bind to this dn, it can modify these entries: dn: cn=Wang Penghui,ou=support,xxx dn: cn=Zhang Weiwu,ou=support,xxx Now we have some 3000 people who can login to the LDAP database and each are logged in as an entry which is organization or organizationalUnit. They all need to be able to modify entries within their own organization or organizationalUnit. I know how to define one ACL rule for one to be able to modify an entry and its subtree, but in my case I need to define 3000 ACL rules (and this number is still growing). Can such permission requirement be defined within limited number of ACL rules? Best Regards -- Zhang Weiwu Real Softservice http://www.realss.com +86 592 2091112

3 3

Inconsistency in my LDAP Replication
by Dennis Gonzales 15 May '07

15 May '07

Hi To all, I'm new with this mailing list. I'm having inconsistency with my current LDAP replication using ldbm database. Authentication (authconfig) on both systems is pointed first to master and 2nd to slave for safety. My current userids are growing to (200,000+) two hundred thousand plus. On my slave, ldapsearch command w/ some of my users it shows but in my master it doesn't. And also, when comparing the /var/lib/ldap/*.dbb files on both systems, the gecos.dbb of slave is greater than master's gecos.dbb by 1MB and the other .dbb files are the same size. Is it safe to copy(scp) the gecos.dbb from slave to master to sync their data? Here's my current systems: Master: Redhat AS3 - U6 openldap-clients-2.0.27-20 openldap-devel-2.0.27-20 openldap-servers-2.0.27-20 openldap-2.0.27-20 Slave: Redhat AS3 - U4 openldap-clients-2.0.27-21 openldap-devel-2.0.27-21 openldap-servers-2.0.27-21 openldap-2.0.27-21 Regards, Dennis Systems Administrator

2 1

ACL Assistance
by Joshua M. Miller 15 May '07

15 May '07

I'm running OpenLDAP 2.3.34 and am having trouble figuring out the ACLs. I have the following: access to attr=userPassword by self write by anonymous auth by * none access to * by self write by * read My intention is to allow everything but the userPassword attribute to be available to all users and have the userPassword attribute be available for authentication and password changes by each user (but only for each user). The problem with the above ACL is that I am able to read all user's password hashes through an authenticated bind. What am I doing wrong? Thanks, -- Joshua M. Miller - RHCE,VCP

4 5

ldap ACLS with regex
by Jeronimo Zucco 15 May '07

15 May '07

Hi list. I'm using openldap 2.3.35 to my mail user database, and I have this structure: uid=user1,ou=People,dc=domain,dc=br ou=ImpPrefs,uid=user1,ou=People,dc=domain,dc=br cn=user1,ou=PersonalAddressBook,dc=domain,dc=br I try to make ACLs to permit just "self" users to write, in his ImpPrefs and PersonalAddressBook, without success. I did not find much examples of ACLs with regex, I try to do: access to dn="^.*,uid=([^,]+),(.*),ou=People,dc=domain,dc=br" by dn="uid=$1,$2,ou=People,dc=domain,dc=br" write by * none but this give me an error. Somebody can help me? -- Jeronimo Zucco LPIC-1 Linux Professional Institute Certified Núcleo de Processamento de Dados Universidade de Caxias do Sul http://jczucco.blogspot.com

5 10

querying ACLs
by Shane 15 May '07

15 May '07

Hi, Is it possible to "query" what permissions an "entity" has prior to them trying to make a change or addition? In context, I'm writing an app that has different levels of editing based on who you are / what groups you're in etc. >From majority of examples I've seen this seems to be a try fail sort of thing, try to edit, if it fails you report the error (usually no permissions). It would be really handy to turn that around and query the server first and give an interface to the user which only has parts they can edit as editable - I could code in which groups have access etc but then if I add extra groups to the ACL I'll need to change code ... simply trying to modify every attribute then catching / reporting failures or using this to work out what they can edit just feels dirty and surely isn't very efficient - is there an alternative? TIA Shane.

4 3

Re: ldap ACLS with regex
by Gavin Henry 15 May '07

15 May '07

<quote who="Jeronimo Zucco"> > Hi list. > > I'm using openldap 2.3.35 to my mail user database, and I have this > structure: > > uid=user1,ou=People,dc=domain,dc=br > > ou=ImpPrefs,uid=user1,ou=People,dc=domain,dc=br > > cn=user1,ou=PersonalAddressBook,dc=domain,dc=br > > > I try to make ACLs to permit just "self" users to write, in his ImpPrefs and PersonalAddressBook, without success. > > I did not find much examples of ACLs with regex, I try to do: > > > access to dn="^.*,uid=([^,]+),(.*),ou=People,dc=domain,dc=br" > by dn="uid=$1,$2,ou=People,dc=domain,dc=br" write Why $1 and $2? I thought you said your users dn was: uid=user1,ou=People,dc=domain,dc=br > by * none > > > but this give me an error. > > Somebody can help me? Ignore me, my mail is all out of order and I can now see this thread is well on it's way ;-) Gavin. > > -- > Jeronimo Zucco > LPIC-1 Linux Professional Institute Certified > Núcleo de Processamento de Dados > Universidade de Caxias do Sul > > http://jczucco.blogspot.com > >

1 0

How can I use {lanman} correctly?
by Frittella Laurento 15 May '07

15 May '07

I'm trying to use a lanman hash to auth my users, for example I'm trying with something like this: dn:mail=dude@example.com,dc=example,dc=com changetype: modify replace: userPassword userPassword: {lanman}5f08db99e1768ee5a91e999999c3ac6e I'm sure about the password but the user 'dude' cannot auth, slapd logs this: slapd[11684]: conn=1 op=17 RESULT tag=97 err=49 text= Regards, Laurento

3 3

overlay rwm
by Raffaele Viola 15 May '07

15 May '07

Hi all, I have this configuration in the slapd.conf. I want to make the ldap server connect to another LDAP (having a different schema) to serve the request to the sub tree ou=UK_grp,ou=people,dc=AEL,dc=IT. database ldap overlay rwm suffix "ou=UK_grp,ou=people,dc=AEL,dc=IT" rwm-suffixmassage "ou=UK_grp,ou=people,dc=AEL,dc=IT" "o=UK_grp,dc=RAFFO,dc=ITA" uri "ldap://151.98.181.64/" idassert-bind bindmethod=simple binddn="cn=Manager,dc=RAFFO,dc=ITA" credentials=secret rwm-map objectclass top top rwm-map objectclass organizationalUnit organization rwm-map attribute ou o rwm-map objectclass cmmContact person rwm-map attribute sn sn rwm-map attribute cn cn subordinate I've to map the back-ldap information on the front-ldap schema. front-ldap schema: ou=UK_grp (l:UK_grp , ou:UK_grp , objectClass:top , objectClass organizationalUnit ) | |----cn=Raffo (objectClass:MyContact , sn:raffo , cn:raffo) ______________________________ back-ldap schema: o=UK_grp(l:UK_grp, o:UK_grp, objectClass:top , objectClass organization ) | |----cn=Raffo (objectClass:person , sn:raffo , cn:raffo) Following a part of the log(level 4095) where I can see May 11 10:58:08 linux slapd[6292]: [rw] searchDN: "ou=UK_grp,ou=people,dc=AEL,dc=IT" -> "o=UK_grp,dc=RAFFO,dc=ITA" and May 11 10:58:08 linux slapd[6292]: [rw] searchEntryDN: "o=UK_grp,dc=RAFFO,dc=ITA" -> "ou=UK_grp,ou=people,dc=AEL,dc=IT" When the front-ldap send a Search Request Scope: base DN=cn=Manager,dc=RAFFO,dc=ITA get from the back-ldap a Search Entry with: Distinguished Name: o=UK_grp,dc=RAFFO,dc=ITA Attribute: objectClass Value:top Value:organization but not something about the attribute or object class mapping. I think that the first LDAP doesn't make the mapping of attribute and objectclass. Can someone help me? Regards Raffo -------------------------------------------------------------------------------------------------------- May 11 10:58:08 linux slapd[6292]: <= send_search_entry: conn 0 exit. May 11 10:58:08 linux slapd[6292]: send_ldap_result: conn=0 op=2 p=3 May 11 10:58:08 linux slapd[6292]: send_ldap_result: err=0 matched="" text="" May 11 10:58:08 linux slapd[6292]: [rw] searchDN: "ou=UK_grp,ou=people,dc=AEL,dc=IT" -> "o=UK_grp,dc=RAFFO,dc=ITA" May 11 10:58:08 linux slapd[6292]: >>> dnPrettyNormal: <o=UK_grp,dc=RAFFO,dc=ITA> May 11 10:58:08 linux slapd[6292]: <<< dnPrettyNormal: <o=UK_grp,dc=RAFFO,dc=ITA>, <o=uk_grp,dc=raffo,dc=ita> May 11 10:58:08 linux slapd[6292]: str2filter "(objectClass=*)" May 11 10:58:08 linux slapd[6292]: begin get_filter May 11 10:58:08 linux slapd[6292]: PRESENT May 11 10:58:08 linux slapd[6292]: end get_filter 0 May 11 10:58:08 linux slapd[6292]: =>ldap_back_getconn: conn 0x802663d8 inserted refcnt=1 binding=1 May 11 10:58:08 linux slapd[6292]: >>> dnPrettyNormal: <o=UK_grp,dc=RAFFO,dc=ITA> May 11 10:58:08 linux slapd[6292]: <<< dnPrettyNormal: <o=UK_grp,dc=RAFFO,dc=ITA>, <o=uk_grp,dc=raffo,dc=ita> May 11 10:58:08 linux slapd[6292]: [rw] searchEntryDN: "o=UK_grp,dc=RAFFO,dc=ITA" -> "ou=UK_grp,ou=people,dc=AEL,dc=IT" May 11 10:58:08 linux slapd[6292]: >>> dnPrettyNormal: <ou=UK_grp,ou=people,dc=AEL,dc=IT> May 11 10:58:08 linux slapd[6292]: <<< dnPrettyNormal: <ou=UK_grp,ou=people,dc=AEL,dc=IT>, <ou=uk_grp,ou=people,dc=AEL,dc=IT> May 11 10:58:08 linux slapd[6292]: => send_search_entry: conn 0 dn="ou=UK_grp,ou=people,dc=AEL,dc=IT" May 11 10:58:08 linux slapd[6292]: => access_allowed: read access to "ou=UK_grp,ou=people,dc=AEL,dc=IT" "entry" requested May 11 10:58:08 linux slapd[6292]: => dn: [1] May 11 10:58:08 linux slapd[6292]: => dn: [2] cn=subschema May 11 10:58:08 linux slapd[6292]: => acl_get: [5] attr entry May 11 10:58:08 linux slapd[6292]: => acl_mask: access to entry "ou=UK_grp,ou=people,dc=AEL,dc=IT", attr "entry" requested May 11 10:58:08 linux slapd[6292]: => acl_mask: to all values by "cn=manager,dc=AEL,dc=IT", (=0) May 11 10:58:08 linux slapd[6292]: <= check a_dn_pat: * May 11 10:58:08 linux slapd[6292]: <= acl_mask: [1] applying read(=rscxd) (stop) May 11 10:58:08 linux slapd[6292]: <= acl_mask: [1] mask: read(=rscxd) May 11 10:58:08 linux slapd[6292]: => access_allowed: read access granted by read(=rscxd) May 11 10:58:08 linux slapd[6292]: => access_allowed: read access to "ou=UK_grp,ou=people,dc=AEL,dc=IT" "objectClass" requested May 11 10:58:08 linux slapd[6292]: => dn: [1] May 11 10:58:08 linux slapd[6292]: => dn: [2] cn=subschema May 11 10:58:08 linux slapd[6292]: => acl_get: [5] attr objectClass May 11 10:58:08 linux slapd[6292]: access_allowed: no res ITom state (objectClass) May 11 10:58:08 linux slapd[6292]: => acl_mask: access to entry "ou=UK_grp,ou=people,dc=AEL,dc=IT", attr "objectClass" requested May 11 10:58:08 linux slapd[6292]: => acl_mask: to value by "cn=manager,dc=AEL,dc=IT", (=0) May 11 10:58:08 linux slapd[6292]: <= check a_dn_pat: * May 11 10:58:08 linux slapd[6292]: <= acl_mask: [1] applying read(=rscxd) (stop) May 11 10:58:08 linux slapd[6292]: <= acl_mask: [1] mask: read(=rscxd) May 11 10:58:08 linux slapd[6292]: => access_allowed: read access granted by read(=rscxd) May 11 10:58:08 linux slapd[6292]: conn=0 op=2 ENTRY dn="ou=uk_grp,ou=people,dc=AEL,dc=IT" May 11 10:58:08 linux slapd[6292]: <= send_search_entry: conn 0 exit. May 11 10:58:08 linux slapd[6292]: send_ldap_result: conn=0 op=2 p=3 May 11 10:58:08 linux slapd[6292]: send_ldap_result: err=0 matched="" text="" May 11 10:58:08 linux slapd[6292]: send_ldap_result: conn=0 op=2 p=3 May 11 10:58:08 linux slapd[6292]: send_ldap_result: err=0 matched="" text="" May 11 10:58:08 linux slapd[6292]: send_ldap_response: msgid=3 tag=101 err=0 May 11 10:58:08 linux slapd[6292]: conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=4 text= May 11 10:58:09 linux slapd[6292]: daemon: activity on 1 descriptor May 11 10:58:09 linux slapd[6292]: daemon: activity on: May 11 10:58:09 linux slapd[6292]: 12r May 11 10:58:09 linux slapd[6292]: May 11 10:58:09 linux slapd[6292]: daemon: read active on 12 May 11 10:58:09 linux slapd[6292]: connection_get(12) May 11 10:58:09 linux slapd[6292]: connection_get(12): got connid=0 May 11 10:58:09 linux slapd[6292]: connection_read(12): checking for input on id=0 May 11 10:58:09 linux slapd[6292]: ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable) May 11 10:58:09 linux slapd[6292]: daemon: select: listen=7 active_threads=0 tvp=zero May 11 10:58:09 linux slapd[6292]: daemon: select: listen=8 active_threads=0 tvp=zero May 11 10:58:09 linux slapd[6292]: do_search May 11 10:58:09 linux slapd[6292]: >>> dnPrettyNormal: <ou=UK_grp, ou=people, dc=AEL, dc=IT> May 11 10:58:09 linux slapd[6292]: <<< dnPrettyNormal: <ou=UK_grp,ou=people,dc=AEL,dc=IT>, <ou=uk_grp,ou=people,dc=AEL,dc=IT> May 11 10:58:09 linux slapd[6292]: SRCH "ou=UK_grp, ou=people, dc=AEL, dc=IT" 1 3 May 11 10:58:09 linux slapd[6292]: 0 0 0 May 11 10:58:09 linux slapd[6292]: begin get_filter May 11 10:58:09 linux slapd[6292]: PRESENT May 11 10:58:09 linux slapd[6292]: end get_filter 0 May 11 10:58:09 linux slapd[6292]: filter: (objectClass=*) May 11 10:58:09 linux slapd[6292]: attrs: May 11 10:58:09 linux slapd[6292]: objectclass May 11 10:58:09 linux slapd[6292]: May 11 10:58:09 linux slapd[6292]: conn=0 op=3 SRCH base="ou=UK_grp,ou=people,dc=AEL,dc=IT" scope=1 deref=3 filter="(objectClass=*)" May 11 10:58:09 linux slapd[6292]: conn=0 op=3 SRCH attr=objectclass May 11 10:58:09 linux slapd[6292]: => bdb_search May 11 10:58:09 linux slapd[6292]: bdb_dn2entry("ou=uk_grp,ou=people,dc=AEL,dc=IT") May 11 10:58:09 linux slapd[6292]: => bdb_dn2id("ou=uk_grp,ou=people,dc=AEL,dc=IT") May 11 10:58:09 linux slapd[6292]: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989) May 11 10:58:09 linux slapd[6292]: send_ldap_result: conn=0 op=3 p=3 May 11 10:58:09 linux slapd[6292]: send_ldap_result: err=10 matched="ou=people,dc=AEL,dc=IT" text="" May 11 10:58:09 linux slapd[6292]: send_ldap_result: conn=0 op=3 p=3 May 11 10:58:09 linux slapd[6292]: send_ldap_result: err=32 matched="ou=people,dc=AEL,dc=IT" text="" May 11 10:58:09 linux slapd[6292]: send_ldap_response: msgid=4 tag=101 err=32 May 11 10:58:09 linux slapd[6292]: conn=0 op=3 SEARCH RESULT tag=101 err=32 nentries=0 text= May 11 10:58:11 linux slapd[6292]: daemon: activity on 1 descriptor May 11 10:58:11 linux slapd[6292]: daemon: activity on: May 11 10:58:11 linux slapd[6292]: 12r May 11 10:58:11 linux slapd[6292]: May 11 10:58:11 linux slapd[6292]: daemon: read active on 12 May 11 10:58:11 linux slapd[6292]: connection_get(12) May 11 10:58:11 linux slapd[6292]: connection_get(12): got connid=0 May 11 10:58:11 linux slapd[6292]: connection_read(12): checking for input on id=0 May 11 10:58:11 linux slapd[6292]: ber_get_next on fd 12 failed errno=0 (Success) May 11 10:58:11 linux slapd[6292]: connection_read(12): input error=-2 id=0, closing. May 11 10:58:11 linux slapd[6292]: connection_closing: readying conn=0 sd=12 for close May 11 10:58:11 linux slapd[6292]: connection_close: deferring conn=0 sd=12 May 11 10:58:11 linux slapd[6292]: daemon: select: listen=7 active_threads=0 tvp=zero May 11 10:58:11 linux slapd[6292]: daemon: select: listen=8 active_threads=0 tvp=zero May 11 10:58:11 linux slapd[6292]: daemon: activity on 1 descriptor May 11 10:58:11 linux slapd[6292]: daemon: activity on: May 11 10:58:11 linux slapd[6292]: May 11 10:58:11 linux slapd[6292]: daemon: select: listen=7 active_threads=0 tvp=zero May 11 10:58:11 linux slapd[6292]: daemon: select: listen=8 active_threads=0 tvp=zero May 11 10:58:11 linux slapd[6292]: do_unbind May 11 10:58:11 linux slapd[6292]: conn=0 op=4 UNBIND May 11 10:58:11 linux slapd[6292]: connection_resched: attempting closing conn=0 sd=12 May 11 10:58:11 linux slapd[6292]: connection_close: conn=0 sd=12 May 11 10:58:11 linux slapd[6292]: =>ldap_back_conn_destroy: fetching conn 0 May 11 10:58:11 linux slapd[6292]: daemon: removing 12 May 11 10:58:11 linux slapd[6292]: conn=0 fd=12 closed --------------------------------------------------------------------------------------------------------

1 0

Can I import {lanman} into OpenLDAP?
by Frittella Laurento 15 May '07

15 May '07

Hi all, I tried to import a lanman_hash using something like this: userPassword: {lanman}4d08da7845568dd9a99e999999c3ac6f ldapmodify import it without errors, but my user cannot authenticate :( PS: I'm sure about the password I used What's wrong? Regards, Laurento

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software