Syncrepl question
by Ivan Ordonez
Hi all,
We have a small size domain with about 500 users and computers. We are
using Samba with Openldap integration to authenticate user login and
file sharing. Our setup is consist of 3 servers running Gentoo Linux -
1PDC and 2BDCs. As for replication, we are still using "slurpd". Any
changes or modification is done through the PDC which replicates the
changes to BDC1, then from BDC1, it then goes down to BDC2 - it's like a
chain.
We want to start using "syncrepl" soon as a way to replicate our
database but I'm not sure were to start. We want to setup all of our
machine to sync with each other everyday, and not worry which machine is
use to make changes, modification, etc.... I'm not sure which syncrepl
function to use to achieve what we want to do. Is "N-Way Multi Master
replication" the correct choice to do this? We are using "BDB" database
on each servers, and would like to achieve this with minimal downtime if
possible. What is the best way to do this? Please advise.
Any help is greatly appreciated.
-Ivan
14 years, 6 months
{SSHA} for PHP
by Jack van Rock
Hi,
I want to modify a website-login-system (PHP) to check passwords which
are deocoded with SSHA.
My script should compare the clear password, which I get from a FORM,
with the SSHA-hash of the password, which is in the database (MySQL).
The dates in the MySQL-DB comes from a LDAP.
This is my script:
<?php
$password_sub = "test";
//Das Passwort erhalte ich über ein HTML-Formular
$passsowrd_hash_db = base64_decode("e1NTSEF9aH....");
//Diesen base64-Hash erhalte ich aus der Datenbank.
//Er wird gleich decodiert, da man daraus das $salt benötigt.
//Dann hat er die Form {SSHA}hxtMi....
$salt = base64_decode(substr($passsowrd_hash_db , 32));
//Berechnung des $salt
$hash = "{SSHA}" . base64_encode(pack("H*",
sha1($password_sub.$salt)).$salt);
?>
But the script doesn't work, because the generated hash isn't the same
as the hash from the database.
But I don't now, what's wrong?
May someone help me?
m@xx
14 years, 6 months
SASL error
by Mansour Al Akeel
I am not able to modify a user from CLI.
[root@neptune ~]# ldapsearch -D "cn=Manager,dc=test,dc=com" -W -b
"dc=test,dc=com" -x -h localhost
I get the all the enteries. However, When I do:
[root@neptune ~]# ldapmodify -D "cn=Manager,dc=test,dc=com" -W -h
localhost
Enter LDAP Password:
SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in database
If I use -x option, it hangs there for ever after I enter the password.
Any idea ?
14 years, 6 months
hello
by Donny George
Hello
I installed ldap client and software on two ubuntu machines. but when i try
to log in with the phpldapadmin gui it displays
Network Error (tcp_error)
A communication error occurred: "Connection refused" The Web Server may
be down, too busy, or experiencing other problems preventing it from
responding to requests. You may wish to try again at a later time.
i am new to ldap and i cudnt really find a forum or thread which was talking
about this problem.
hope someone can help me
--
Donny George
14 years, 6 months
Samba failed to bind Ldap
by Emil Sicad - ISD
Good day to all,
Im new to LDAP, I've been working with SAMBA-LDAP implem.
and i have these messages logs:
Nov 25 17:56:59 smbldap slapd[9974]: sql_select option missing
Nov 25 17:56:59 smbldap slapd[9974]: auxpropfunc error no mechanism
available
Nov 25 17:56:59 smbldap ldap: slapd startup succeededs
Nov 25 17:57:07 smbldap smbd[9987]: [2008/11/25 17:57:07, 0]
lib/smbldap.c:smbldap_connect_system(850)
Nov 25 17:57:07 smbldap smbd[9987]: failed to bind to server with dn=
cn=Manager,dc=fcb.net,dc=. Error: Can't contact LDAP server
Nov 25 17:57:07 smbldap smbd[9987]: (unknown)
Nov 25 17:57:23 smbldap smbd[9987]: [2008/11/25 17:57:23, 0]
lib/smbldap.c:smbldap_search_suffix(1155)
Nov 25 17:57:23 smbldap smbd[9987]: smbldap_search_suffix: Problem
during the LDAP search: (unknown) (Timed out)
Question
1) Is my ldap working fine?
2) Why can't samba bind to Ldap?
Pls teach me to understand those kind errors.
Emil Sicad
Cebu Mitsumi Inc
Information Systems Division
14 years, 6 months
schema design and schema restrictions
by Mansour Al Akeel
Hello all,
I an new to LDAP, and I have a need to migrate the existing system to
ldap as this will ease a bit the management for the new system
implementation. I need to authenticate users for a web site, and for the
internal system ( linux, windows stations .... etc). Now the available
account objectclass is structural so I can not user inetorgperson with
account as both are structural. In this case I decided to extend
inetOrgPerson, and add username and password as a MUST attributes. This
is because all the users have access to the web site and they need
authentication, but some users will need to have access to the machines.
In this case I will create a new objectClass (ie. accountInfo) which
containts the info I need (home directory, shell, loginScript, .... etc).
The issue here is how do I restrict the accountInfo to be added under
User ? This is in fact not only specific to this senario. I couldn't
find any docs about how to prevent objectClass domain to be added under
group !
Finally, how do other ldap admin deal with similar cases ? Any advice ?
thank you.
14 years, 6 months
Tracking down persistent OpenLDAP corruption
by Gilbert Wilson
So... I'm having a problem with persistent corruption in Apple's Open
Directory. I believe this corruption is related to OpenLDAP and the
BerkeleyDB. I was hoping that folks here might be able to help me
track down whether this is the problem or not.
Essentially, what is happening is that user accounts will "disappear"
from workgroup manager and dscl[1]. Accounts that have maintained a
persistent connection will continue to be authenticated. But, accounts
that are not authenticated will be unable to authenticate. The
Directory Administrator account, for example, cannot authenticate at
these times. If I restart slapd, all the missing accounts that had
persistent connections will no longer be able to authenticate.
An LDIF export, however, will show that the accounts are all still
there.
A regular repair and a catastrophic repair of of the BerkleyDB does
not work.[2] The first time this happened, it DID work, but
subsequent events have not been so easily fixed.
A restore from backup is the only way to fix it. However, I suspect
that there is malformed data lurking somewhere in the OpenLDAP
system. The backups all have this malformed data. Thus, it doesn't
take very much for the system to get corrupted again. A hard shutdown
does it every time, and a minor upgrade to the OS did it, too.
The standard suggested fix is destroy and rebuild the Open Directory
setup. For obvious reasons, I would like to avoid this. I want to
know *what* is happening.
If it is, in fact, malformed data that is becoming corrupt, *what*
data should I be examining, *where* is it located, and *how* do I
check it for anomalies?
Has anyone else had this kind of persistent corruption of their LDAP
system? What was causing it? How did you find it?
Any leads or words of wisdom would be greatly appreciated.
Gilbert Wilson
[1] http://developer.apple.com/documentation/Darwin/Reference/ManPages/man1/d...
[2] http://developer.apple.com/documentation/Darwin/Reference/ManPages/man1/d...
14 years, 6 months
Disabling User Account
by piyush joshi
Dear Team,
Is there any Schema or Attribute which can be used to
disable user account if that account is not being used from one month or by
providing date in advance to
disable the account in future automatically.
--
Regards
Piyush Joshi
9415414376
14 years, 6 months
Re: Delta-sync symptom in 2.4.11
by William Jojo
---- Original message ----
>Date: Thu, 20 Nov 2008 11:02:40 -0800
>From: Quanah Gibson-Mount <quanah(a)zimbra.com>
>Subject: Re: Delta-sync symptom in 2.4.11
>To: William Jojo <w.jojo(a)hvcc.edu>,openldap-technical(a)openldap.org
>
>--On Thursday, November 20, 2008 10:38 AM -0500 William Jojo
><w.jojo(a)hvcc.edu> wrote:
>
>
>> Otherwise this is just like test043, except or the missing dn's. :-)
>>
>> Any ideas?
>
>Try current RE24 CVS. There have been a number of replication related
>fixes made since 2.4.11.
>
I just tried 2.4.13. The problem still persists. I will check out the CVS version in the morning.
Cheers,
Bill
>--Quanah
>
>--
>
>Quanah Gibson-Mount
>Principal Software Engineer
>Zimbra, Inc
>--------------------
>Zimbra :: the leader in open source messaging and collaboration
14 years, 6 months
