date/time attributes
by Ildar Mulyukov
Hello again!
Can anyone point me to attributes designating date or/and time?
For example, is there a counterpart of VCard BDAY attribute?
Thanks! Regards, Ildar
--
Ildar Mulyukov, free SW designer/programmer
================================================
email: ildar(a)users.sourceforge.net
home: http://tuganger.narod.ru/
ALT Linux Sisyphus
================================================
15 years, 5 months
Blank Password for a ldap user
by Rocky S
I am very new ldap programming, so bear with me if my query is naive.
I am trying to write a program using the OpenLDAP SDK.
The program should take an LDAP servername/port, a CN & a password.
The program should then report if the CN/password combination is correct
or incorrect.
This is how I am trying to do this.
[ error checks removed for making it simple]
LDAP *pldap;
ldap_initialize(&pldap, "ldap://myhost:389) ;
int desired_version = LDAP_VERSION3;
ldap_set_option(pldap, LDAP_OPT_PROTOCOL_VERSION, &desired_version);
int ret = ldap_bind_s(pldap,
"uid=Jack,ou=People,dc=vss,dc=veritas,dc=com", "jack123",
LDAP_AUTH_SIMPLE);
if(ret == LDAP_SUCCESS)
puts("VERIFIED");
else
puts("FAILURE");
This works fine for for Jack/jack123.
I have another user in the directory - John who has a null/empty password
I tried both
ldap_bind_s(pldap, "uid=John,ou=People,dc=vss,dc=veritas,dc=com",
NULL, LDAP_AUTH_SIMPLE);
ldap_bind_s(pldap, "uid=John,ou=People,dc=vss,dc=veritas,dc=com", "",
LDAP_AUTH_SIMPLE);
Both cases ldap_bind_s returns 53 - which I think means LDAP UNWILLING
TO PERFORM
I know the server allows null passwords.
15 years, 5 months
logs and I/O Performances
by Andre Stoffel
Hi all,
We are using 3 LDAP Directories based on Openldap 2.2.23 (number of objects
: between 4000 and 11000 in the DBs) .
The hardware is based on HP servers correctly dimensioned but not oversized
disks resided on an EMC Symmetrix
We try to implement the ldap logs but we have to stop after the first test:
a common request taking between 1 up to 2 seconds instead of some
milliseconds.
Has anybody an idea of whats going wrong: setting, architecture
Thanks.
André.
15 years, 5 months
OpenLDAP as a Meta directory for eDirectory and Active Directory
by Jon Gerdes
I have a requirement to link up the contents of an AD and an eDir into a single meta dir. I am testing all this on a small system. The basic idea is that a user will be able to do a search on their uid and then bind to it. Their account could be in either the AD or the eDir. I would want to support both simple and digest-md5 binds. Both eDir and AD support SASL digest md5 binds but AD does not allow simple binds. I do not wish to change the back ends but just work with what is there.
In my test system I have dc=blueloop,dc=net at the top with ou=edir and ou=ad to be mapped under the top level. My gerdesj account has all the relavent rights in all cases.
I have gone around in circles on this several times! I can do a browse of the edir container fine ie a search of the ou=edir,dc=blueloop,dc=net as anon returns stuff as I would expect.
This seems to work OK:
ldapsearch -h localhost '(objectclass=*)' -D "cn=gerdesj,ou=edir,dc=blueloop,dc=net" -b "ou=edir,dc=blueloop,dc=net" -x -W
Trying to use SASL fails:
ldapsearch -h localhost -b 'ou=edir,dc=blueloop,dc=net' '(objectclass=*)' -Y DIGEST-MD5 -U "dn:cn=gerdesj,ou=edir,dc=blueloop,dc=net"
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in database
This seems to imply to me that the OpenLDAP box is trying to auth me rather than passing this off to the system it is proxying. Why ?
I would also like to make the AD side of things such that it will allow a simple anonymous connection to search and then allow through a simple bind
I've read everything I can find but have run out of steam. Thanks for any advice or pointers.
Cheers
Jon
Here is a chunk out of my slapd.conf
##### eDir
#ldapsearch -h localhost -b 'ou=edir,dc=blueloop,dc=net' -s sub -x -D '' '(objectclass=*)'
database ldap
suffix "ou=edir,dc=blueloop,dc=net"
uri "ldap://port.blueloop.net/"
subordinate
overlay rwm
rwm-suffixmassage "ou=edir,dc=blueloop,dc=net" "ou=users,o=blueloop"
##### AD
database ldap
suffix "ou=ad,dc=blueloop,dc=net"
uri "ldap://baileys.blueloop.net/"
subordinate
idassert-authzFrom "dn:regex=.*"
acl-bind
bindmethod=sasl
saslmech=DIGEST-MD5
authcId=gerdesj
authzId=gerdesj
credentials="{SSHA}xxxxxx"
idassert-bind
bindmethod=sasl
saslmech=DIGEST-MD5
binddn="cn=gerdesj,ou=users,ou=blueloop,dc=blueloop,dc=net"
credentials="{SSHA}xxxxxxxxxxxxxx"
mode=self
overerlay rwm
rwm-suffixmassage "ou=ad,dc=blueloop,dc=net" "ou=users,ou=blueloop,dc=blueloop,dc=net"
Registered Address : 7 Manor Buildings, North Perrott, Crewkerne, Somerset, TA18 7ST
Registered England & Wales - 3981322
CONFIDENTIAL INFORMATION
This e-mail and any files attached with it are confidential and for the sole use of the intended recipient(s). If you are not the intended recipient(s) you are prohibited from using, copying or distributing this or any information contained in it and should immediately notify the sender and delete the message from your system.
Internet communications are not secure and Blueloop Limited is not responsible for unauthorised use by third parties nor for alteration or corruption in transmission. Furthermore, while Blueloop Limited have taken reasonable precautions to minimise the risk of software viruses, it cannot accept liability for any damage which you may suffer as a result of such viruses, and we therefore recommend you carry out your own virus checks on receipt of any e-mail.
15 years, 5 months
DSMLReader(dsmlFile) gives Invalid beginning tag :attr error
by Hamidreza Hamedtoolloei
var YAHOO = {'Shortcuts' : {}};
YAHOO.Shortcuts.hasSensitiveText = false;
YAHOO.Shortcuts.sensitivityType = [];
YAHOO.Shortcuts.doUlt = false;
YAHOO.Shortcuts.location = "us";
YAHOO.Shortcuts.document_id = 0;
YAHOO.Shortcuts.document_type = "";
YAHOO.Shortcuts.document_title = "DSMLReader(dsmlFile) gives Invalid beginning tag :attr error";
YAHOO.Shortcuts.document_publish_date = "";
YAHOO.Shortcuts.document_author = "hamedtoolloei(a)yahoo.com";
YAHOO.Shortcuts.document_url = "";
YAHOO.Shortcuts.document_tags = "";
YAHOO.Shortcuts.annotationSet = {
"lw_1206833257_0": {
"text": "prabbit(a)dsml.org",
"extended": 0,
"startchar": 1507,
"endchar": 1522,
"start": 1507,
"end": 1522,
"extendedFrom": "",
"predictedCategory": "",
"predictionProbability": "0",
"weight": 1,
"type": ["shortcuts:/us/instance/identifier/email_address"],
"category": ["IDENTIFIER"],
"context": "" }
};
<!-- DIV {margin:0px;}-->Hey guys,
I am using jldap to communicate with ldap, and I get an exception when I am parsing a dsml file.
In more details, the following line of code
LDAPReader in = new DSMLReader(dsmlFile);
gives the following error
Thefollowing error occured handling a DSML file:LDAPLocalException: Thefollowing error occured while parsing DSML: org.xml.sax.SAXException:Invalid beginning tag :attr (84) Decoding Error
org.xml.sax.SAXException: Invalid beginning tag :attr
when dsmlFile is
<dsml:directory-entries>
<dsml:entry dn="uid=prabbit,ou=development,o=bowstreet,c=us">
<dsml:objectclass>
<dsml:oc-value>top</dsml:oc-value>
<dsml:oc-value>person</dsml:oc-value>
<dsml:oc-value>organizationalPerson</dsml:oc-value>
<dsml:oc-value>inetOrgPerson</dsml:oc-value>
</dsml:objectclass>
<dsml:attr name="sn"><dsml:value>Rabbit</dsml:value></dsml:attr>
<dsml:attr name="uid"><dsml:value>prabbit</dsml:value></dsml:attr>
<dsml:attr name="mail"><dsml:value>prabbit(a)dsml.org</dsml:value></dsml:attr>
<dsml:attr name="givenname"><dsml:value>Peter</dsml:value></dsml:attr>
<dsml:attr name="cn"><dsml:value>Peter Rabbit</dsml:value></dsml:attr>
</dsml:entry>
</dsml:directory-entries>
</dsml:dsml>
Any suggestions??
thanks
Never miss a thing. Make Yahoo your homepage.
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
15 years, 5 months
Unable to add attribute to cn
by Frank, Hans, 232
Hi there,
I would like to add the attribute "orclnetdescstring" to the following
ldap object:
cn=TESTDB,cn=OracleContext,dc=test,dc=de
When trying this, I get the following error message:
09:44:42 AM: Failed to add 'orclnetdescstring' attribute for
ldap://***:389/cn=TESTDB,cn=OracleContext,dc=test,dc=de
Root error: [LDAP: error code 65 - attribute 'orclnetdescstring' not
allowed]
I did include the attributetype into the core.schema, which is included
in slapd.conf the following way:
attributetype ( 1.3.6.1.4.1.9232.6 NAME 'orclnetdescstring'
DESC 'Oracle-OID spezific A-Type'
SUP name
)
or:
attributetype ( 1.3.6.1.4.1.9232.6 NAME 'orclnetdescstring' SUP name )
But that doesn't change anything. I am very new to openldap, so if there
are any good tutorials which describe such simple things (I suppose this
is something simple), please let me know.
I just need this object with some specific attributes, how can I realise
this?
Best Regards
Hans Frank
15 years, 5 months
Re: NIS to ldap layout
by Eric Ritchie
Gavin Henry wrote:
> Eric Ritchie wrote:
>> I have 3 NIS domains I wish to convert to ldap. I would like to keep
>> 3 separate areas in ldap since the NIS domains have different
>> accounts. I created a base dn and loaded data under 3 higher levels,
>> such as base is dc=xyz,dc=com and dc=a,dc=xyz,dc=com
>> dc=b,dc=xyz,dc=com dc=c,dc=xyz,dc=com. Then if I want client one to
>> be in domain a, I set its base to dc=a,dc=xyz,dc=com. This works for
>> host name lookups but when another host tries to login to the box via
>> telnet or rsh, the login hangs after the password is entered, ssh
>> works though. If I specify a binddn on the client with
>> dc=a,dc=xyz,dc=com, I can login via telnet and rsh but name lookups
>> fail on the host. Any idea what is causing this? Is this the best way
>> to have separate DBs for clients?
>>
>> Thanks
>>
>
> Sounds like you are using pam_ldap? I would post to their lists with
> you configurations etc.
>
> Gavin.
>
I emptied my ldap database to start fresh. I created a base of
dc=ibg,dc=com and loaded 2 hostname/IPs. I configured my client to use
ldap for hosts in /etc/nsswitch.conf. Its using ldap for host lookups
only, nothing else. The client works fine, it can find the 2 hosts in
ldap. If I try to telnet from a host not in ldap it works but if I try
to telnet from one of the hosts in ldap to my client, it hangs. If I set
binddn on the client, then the hosts in ldap can telnet to the client
but the client can't lookup host names. I'm new to ldap so I'm not sure
if this is a pam or ldap issue. I don't understand why enabling the
binddn allows the remote host to telnet but breaks local name lookups.
Thanks
--
Eric Ritchie
Interactive Brokers LLC
203-618-5868
15 years, 5 months
Re: OpenLDAP Group ACL
by Luke Lee
Sir,
I modified my settings and added the following group:
dn: cn=pwmanager,ou=Group,dc=mydomain,dc=com
objectClass: posixGroup
objectClass: top
cn: pwmanager
userPassword: {crypt}x
gidNumber: 550
memberUid: l_luke
memberUid: w_smith
I also modified my ACL in the slapd.conf:
access to attr=userPassword
by self write
by anonymous auth
by group/groupOfNames/member="cn=pwmanager,ou=Group,dc=mydomain,dc=com" write
by * none
access to *
by self write
by group/groupOfNames/member="cn=pwmanager,ou=Group,dc=mydomain,dc=com" write
by * read
I used the same command trying to change the user's password but received the exact same error. Would you please help? You mentioned that the nisNetgroup object doesn't fit in the ACL configuration in your previous reply. I had defined netgroups looked like the following:
dn: cn=Sales,ou=Netgroup,dc=mydomain,dc=com
objectClass: nisNetgroup
objectClass: top
cn: Sales
nisNetgroupTriple: (,c_parks,mydomain.com)
nisNetgroupTriple: (,j_berryhill,mydomain.com)
nisNetgroupTriple: (,b_chen,mydomain.com)
Would there be a way for me to use the netgroup and its members for any ACL type of access?
Your help will be highly appreciated!
----- Original Message ----
From: Pierangelo Masarati <ando(a)sys-net.it>
To: Luke Lee <leeluke77(a)yahoo.com>
Cc: openldap-technical(a)openldap.org
Sent: Thursday, March 27, 2008 12:35:16 PM
Subject: Re: OpenLDAP Group ACL
> Hello,
>
> I'll appreciate it if any of you are willing to take time and share with
> me your experience with OpenLDAP running on a RedHat server configured
> with group ACL.
>
> I'm trying to grant a group of people (including myself) the permission to
> change user LDAP passwords. However, when I try to change a user's LDAP
> password, I received the following message:
>
> Result: Insufficient access (50)
>
> The command that I used was:
>
> ldappasswd -x -W -D "uid=l_luke,ou=Netgroup,dc=mydomain,dc=com" -S
> "uid=w_smith,ou=People,dc=mydomain,dc=com"
>
> My ACL settings in the slapd.conf file are:
>
> access to attr=userPassword
> by self write
> by anonymous auth
> by group.exact="cn=ITgroup,ou=Netgroup,dc=mydomain,dc=com" write
> by * none
> access to *
> by self write
> by group.exact="cn=ITgroup,ou=Netgroup,dc=mydomain,dc=com" write
> by * read
>
> My netgroup has been defined as the following:
>
> dn: cn=ITgroup,ou=Netgroup,dc=mydomain,dc=com
> objectClass: nisNetgroup
> objectClass: top
> cn: ITgroup
> nisNetgroupTriple: (,l_luke,mydomain.com)
> nisNetgroupTriple: (,w_smith,mydomain.com)
> nisNetgroupTriple: (,g_baker,mydomain.com)
> description: Password Keepers
>
> My user entry is:
>
> # l_luke, People mydomain.com
> dn: uid=l_luke,ou=People,dc=mydomain,dc=com
> uid: l_luke
> cn: l_luke
> objectClass: account
> objectClass: posixAccount
> objectClass: top
> objectClass: shadowAccount
> shadowLastChange: 13958
> shadowMax: 99999
> shadowWarning: 7
> loginShell: /bin/bash
> uidNumber: 10005
> gidNumber: 10005
> homeDirectory: /home/l_luke
> gecos: Luke Lee
>
> Can anyone point me to the right direction or share with me the correct
> group ACL settings that you have? Thanks!
As indicated in slapd.access(5), the member attribute must have either
distinguishedName syntax (or nameAndOptionalUID syntax) or be derivated
from memberURL; it defaults to "member". It appears from your message
that you expect "nisNetgroupTriple" to be used as member attribute, but
you should specify that attribute in the ACL clause. However,
"nisNetgroupTriple" wouldn't be allowed since it doesn't comply with the
above restrictions. You need to use LDAP groups for access control;
nisNetGroup objects don't fit.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati(a)sys-net.it
---------------------------------------
____________________________________________________________________________________
Looking for last minute shopping deals?
Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
15 years, 5 months
OpenLDAP Group ACL
by Luke Lee
Hello,
I'll appreciate it if any of you are willing to take time and share with me your experience with OpenLDAP running on a RedHat server configured with group ACL.
I'm trying to grant a group of people (including myself) the permission to change user LDAP passwords. However, when I try to change a user's LDAP password, I received the following message:
Result: Insufficient access (50)
The command that I used was:
ldappasswd -x -W -D "uid=l_luke,ou=Netgroup,dc=mydomain,dc=com" -S "uid=w_smith,ou=People,dc=mydomain,dc=com"
My ACL settings in the slapd.conf file are:
access to attr=userPassword
by self write
by anonymous auth
by group.exact="cn=ITgroup,ou=Netgroup,dc=mydomain,dc=com" write
by * none
access to *
by self write
by group.exact="cn=ITgroup,ou=Netgroup,dc=mydomain,dc=com" write
by * read
My netgroup has been defined as the following:
dn: cn=ITgroup,ou=Netgroup,dc=mydomain,dc=com
objectClass: nisNetgroup
objectClass: top
cn: ITgroup
nisNetgroupTriple: (,l_luke,mydomain.com)
nisNetgroupTriple: (,w_smith,mydomain.com)
nisNetgroupTriple: (,g_baker,mydomain.com)
description: Password Keepers
My user entry is:
# l_luke, People mydomain.com
dn: uid=l_luke,ou=People,dc=mydomain,dc=com
uid: l_luke
cn: l_luke
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 13958
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10005
gidNumber: 10005
homeDirectory: /home/l_luke
gecos: Luke Lee
Can anyone point me to the right direction or share with me the correct group ACL settings that you have? Thanks!
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
15 years, 5 months
ways to connect to IBM Lotus Directory
by Ildar Mulyukov
Hello,
I want to replicate an IBM Lotus Directory version 8 to my OpenLDAP
server.
Does anyone have such an experience?
Anyone to give me a good advice?
Thank you.
I was thinking of several questions:
1. I need IBM attributes, objectClasses etc. to use as an additional
OpenLDAP schema.
1a. Is it possible to create a schema file using LDAP schema discovery?
2. Is Syncrepl of any use here?
3. As a last resort I could use ldapsearch+ldapadd as soon as I get
Lotus schema.
Thanks for any help.
Best regards, Ildar
--
Ildar Mulyukov, free SW designer/programmer
================================================
email: ildar(a)users.sourceforge.net
home: http://tuganger.narod.ru/
ALT Linux Sisyphus
================================================
15 years, 5 months
