openldap-software

openldap-software@openldap.org

2719 discussions

Exception handling!!!
by Pratima Shet 20 Apr '10

20 Apr '10

Hi all, I am using openldap library in Mac os ( Snow leopard). Some time, my code crashes inside the "liblber". I am using ldap_start_tls_s(). I think ldap_start_tls_s() is corrupting the ldap handle. How can I catch the exceptions from the library? In some link I found out that It supports exception handling. thanks and regards, Pratima

2 1

ldapsearch and international coded characters
by Luis Neves 20 Apr '10

20 Apr '10

Hi there, This is my first post on this list, please if be gentle if I make any mistake agains the list rules, but I think it will not be the case Iam trying to use mod_authz_ldap in apache to authenticate users against an openldap directory which contains some fields from a X.509 users certificates. Theres a subjetDN field on the directory that contains this data: issuerDN: /C=PT/O=Cart\xC3\xA3o de Cidad\xC3\xA3o/OU=subECEstado/CN=EC de Aute ntica\xC3\xA7\xC3\xA3o do Cart\xC3\xA3o de Cidad\xC3\xA3o 0003 Its a base64 coded string, equivalent to "Cartão de Cidadão" and "Autenticação do Cartão de Cidadão 0003" the problem is that, mod_authz_ldap is returning "bad search filter" when it tries to query the ldap directory with this data Testing using ldapsearch I have exactly the same problem so I thing they are related: if i make this search: ldapsearch -x -h ****** -p 389 -D "cn=******" -w **** -s sub -b "ou=AuthzLDAPCertmap,dc=cm-lisboa,dc=pt" "(issuerDN=/C=PT/O=Cart\xC3\xA3o de Cidad\xC3\xA3o/OU=subECEstado/CN=EC de Autentica\xC3\xA7\xC3\xA3o do Cart\xC3\xA3o de Cidad\xC3\xA3o 0003)" I get the (-7) Bad Search Filter error if i strip all the '\x' from the search filter, i dont get the error but of course it returns nothing as well. Can somebody help me? how can i do this kind of search with ldapsearch and how can I use mod_authz_ldap when theres users outhere who has accented characters on their certificates?? Regards Luis _________________________________________________________________ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969

1 0

Re: ACLs - match FDN to portion of attribute
by Sergiy Stepanenko 19 Apr '10

19 Apr '10

On 04/19/2010 04:04 PM, masarati(a)aero.polimi.it wrote: >> Hi Andrew >> I finally figured it out and here is what I did: >> >> ACL >> ----- >> access to attrs=uofsGroupRole val.regex="^([^:]+):.+$" >> by dn.exact,expand="${v1}" read >> by * none >> >> Only attribute that contains users' dn within its value is available to >> said user. It works exactly the way I want it. Only difference from >> documentation is "${v1}" which explained here: >> http://www.openldap.org/lists/openldap-bugs/200811/msg00078.html if you >> are interested... > > I've documented this feature in slapd.access(5), as part of ITS#5804. > > Thanks, p. > > My pleasure. -- Sergiy Stepanenko Systems Administrator Information Technology Services University of Saskatchewan ----------------------------------- phone: (306) 966-2762 email:sergiy.stepanenko@usask.ca

1 0

ACLs - match FDN to portion of attribute
by Sergiy Stepanenko 19 Apr '10

19 Apr '10

Hello everybody, I am in need of a good advice. I have a problematic spot in my ACL and so far i can not figure out what to do with it. This is what needs to be accomplished: an Entry has attribute uofsGroupRole that may contain values like : uid=some_user, ou=nsids,ou=people,dc=usask,dc=ca:some_role only user with matching uid may see this attribute and its value. I tried : access to attrs=uofsGroupRole val.regex="uid=([^,]+),ou=nsids,ou=people,dc=usask,dc=ca.*$" by dn.regex="uid=$1,ou=nsids,ou=people,dc=usask,dc=ca$" read And it did not work as required. I know the problem in regex, but I can not find it. Any suggestions are greatly appreciated. Cheers -- Sergiy Stepanenko Systems Administrator Information Technology Services University of Saskatchewan ----------------------------------- phone: (306) 966-2762 email:sergiy.stepanenko@usask.ca

3 4

Empty suffix database vs. rootDSE
by masarati＠aero.polimi.it 19 Apr '10

19 Apr '10

I've noticed that if a producer is rooted at the empty suffix, searches for the rootDSE (base="", scope="base"), return an entry consisting in the rootDSE entry plus the producer's contextCSN. I've tracked this down to backend_operational(): at some point, when the entry is almost ready, selects the database that serves the empty DN, and calls that database's be_operational() helper; here syncprov_operational() adds the contextCSN. Is this intended? I'm asking because indeed this is the only way we can get the contextCSN for that database; searches with base="" and scope other than "base" would return the database's entries but no entry with empty dn. p.

2 1

OpenLDAP ACLs Question
by Tim Gustafson 19 Apr '10

19 Apr '10

Hi, We have three OpenLDAP servers: 10.0.0.2, 10.0.0.3 and 10.0.0.4 and one web server 10.0.0.5. For a long time we've had two baseDN databases running on the OpenLDAP servers with ACLs configured so that anyone on the subnet can read anything in the system and our replication has been working well. Recently, we've added the third database with more restrictive ACLs that look like this: ============================================================ access to * by dn="uid=replicator,ou=People,dc=bar" read by * break access to attrs=userPassword,sambaNTPassword by group/groupOfNames/Member="cn=ldap-admins,ou=Group,dc=bar" write by self write by anonymous auth by * none access to attrs=entry,uid,cn,sn,givenName,title,departmentNumber,mail,telephoneNumber,roomNumber by group/groupOfNames/Member="cn=ldap-admins,ou=Group,dc=bar" write by users read by * none access to * by group/groupOfNames/Member="cn=ldap-admins,ou=Group,dc=bar" write by * none ============================================================ With these ACLs, replication works when anyone in the ldap-admins group posts an update to the server. However, if a user updates their own password, replication does not take place. If we change the last access clause to this: ============================================================ access to * by group/groupOfNames/Member="cn=ldap-admins,ou=Group,dc=bar" write by peername.regex="10\.0\.0\.5" read by * none ============================================================ then the user self-updates are replicated properly. Note that 10.0.0.5 is the *web server*. The way I read this ACL, it means we're granting read access to the web server, and in so doing, the other two LDAP servers (10.0.0.3 and 10.0.0.4) are magically able to replicate data again. When replication is *not* working in this set-up, re-starting slapd on 10.0.0.3 and 10.0.0.4 (without changing any ACLs anywhere) causes them to suck down all the updates they missed before. Am I misunderstanding the way these ACLs work? Is there any way that giving READ access to the web server (which it already has by virtue of the user having bound themselves to the LDAP server) should cause replication for 10.0.0.3 and 10.0.0.4 to work again? Or is this perhaps a bug in the version of slapd (2.3.43; yes I know it's old; it's a vendor package and that's how we roll around here at the moment) that we're running? I'm not really asking anyone to fix the problem or to offer a solution to the problem...I just want to know if this sort of replication issue was a known problem in the past? Tim Gustafson Baskin School of Engineering UC Santa Cruz tjg(a)soe.ucsc.edu 831-459-5354

3 2

Help with openldap and starttls
by john espiro 16 Apr '10

16 Apr '10

I have read through all of the docs and am having trouble setting up openldap to use starttls. How do I configure OpenLDAP (command line tool) to use Start TLS? Thanks, John

3 6

Authenticating with multiple databases
by Ian Gillman 16 Apr '10

16 Apr '10

We have a situation where we have 2 OpenLDAP databases containing usernames, passwords etc... for two distinct entities. We would like to be able to send an authentication request to one of the databases and have it return yes or no based upon the information in both databases. In other words, database A (DBa) has user A's (Ua) credentials and database B (DBb) has user B's (Ub) credentials. We would like to be able to talk to either DBa or DBb and get back the user credentials and authentication for both Ua and Ub. Is there some way I can set up OpenLDAP to be able to try and authenticate a user request locally and then, if that fails, to authenticate the request remotely without the requestor having to know about the remote database? We do not want to replicate information between the databases. Thanks Ian Gillman Senior Network Administrator Monroe Clinic 608-324-1416 ian.gillman(a)monroeclinic.org CONFIDENTIALITY NOTICE: ------------------------ This message and any included attachments are from Monroe Clinic and are for the sole use of the intended recipient(s). This message may contain confidential and privileged information. Unauthorized review, use, disclosure or distribution is strictly prohibited and may be unlawful. If you are not the intended recipient, please promptly delete this message and notify the sender of the delivery error by e-mail or you may call Monroe Clinic at (608)324-1000 or (608)324-2000.

3 2

any benefit to skipping unused schema files?
by Tim Mooney 16 Apr '10

16 Apr '10

I'm preparing to upgrade our OpenLDAP installation from 2.3.x to 2.4.21. I've been through chapter 13 (Schema Specification) of the admin guide and read the entries in the schema section of the FAQ. With 2.4.x, there are several more schema files that are loaded by default, vs. what we are using in our 2.3.x installation (core, cosine, inetorgperson, misc, and one custom overlay). Is there any appreciable benefit to not loading schema files that I'm confident we won't be using (java, dyngroup, corba, probably others)? I generally avoid "kitchen sink" software installation and prefer to pare down what's enabled in a software package to the bits we need, but I can't imagine skipping a few schema files is going to save a significant amount of resources on a modern system with 24 GiB RAM. Is there any other reason to skip schema files we won't be using? Thanks, Tim -- Tim Mooney Tim.Mooney(a)ndsu.edu Enterprise Computing & Infrastructure 701-231-1076 (Voice) Room 242-J6, IACC Building 701-231-8541 (Fax) North Dakota State University, Fargo, ND 58105-5164

2 1

ACLs - allowing a user to add a new attribute
by Matt Ingram 15 Apr '10

15 Apr '10

Hi All. We're trying to implement acls that will allow our Admins to modify the LDAP directory without using a generic admin account, and using their own credentials within LDAP. Our requirement is that the Admins can modify the mail, uid and userPassword attributes. Which I have working. Part of this also requires that the Admin has the ability to add those attributes. That does not work. We have our system automated so that HR creates a user and the basics are automatically populated into LDAP, however the mail, uid and userpassword attributes are not created at that time. What kind of an ACL do I need to allow the Admins to create the mail, uid and userPassword attributes ? Thanks in advance. Matt. Here's what I have for ACLs access to dn="cn=Manager,dc=domain,dc=com" by * auth access to dn="ou=Admins,dc=domain,dc=com" by dn.children="ou=Admins,dc=domain,dc=com" read by * auth access to attrs=employeeNumber by dn.children="ou=Admins,dc=domain,dc=com" write by self read by * search #Allow Admins ou and ldappers group to modify ldap's userPassword attribute access to attrs=userPassword by group/groupOfNames/member="cn=ldappers,ou=Apps,ou=Groups,ou=Accounts,dc=domain,dc=com" write by dn.children="ou=Admins,dc=domain,dc=com" write by self write by * auth #allow Admins ou and ldappers group to modify ldap's mail and uid attributes and cbnActive attribute access to attrs=mail,uid by group/groupOfNames/member="cn=ldappers,ou=Apps,ou=Groups,ou=Accounts,dc=domain,dc=com" write by dn.children="ou=Admins,dc=domain,dc=com" write by self read by * read access to * by dn.children="ou=Admins,dc=domain,dc=com" write by * read -- Matt Ingram Intermediate Unix Administrator, IS Canadian Bank Note Company, Limited \m/

4 7

← Newer
1
2
3
4
5
6
7
8
...
272
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software