openldap-technical May 2008

openldap-technical@openldap.org

62 participants
56 discussions

How do I add multiple users to a group ldif file ?
by Pooja S 07 May '08

07 May '08

Hi All, Please help me setting up my groups with multiple group members. Here is the example of a group "adm" which I want to add as group with group member "root, adm, deamon" whereas root and deamon groups already exist. Here is the ldif config for adm group: dn: uid=adm,ou=Groups,dc=abc,dc=xyz uid: adm cn: adm objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: {crypt}* shadowLastChange: 12864 shadowMax: 99999 shadowWarning: 7 uidNumber: 4 gidNumber: root,adm,daemon homeDirectory: When I try to add I get this error . #ldapadd -x -D 'cn=Manager,dc=abc,dc=xyz' -W -f bin.ldif Enter LDAP Password: adding new entry "uid=adm,ou=People,dc=grow" ldap_add: Invalid syntax additional info: gidNumber: value #0 invalid per syntax I have tried various options, such as: gidNumber: 4, 0, 3 gidNumber: 4 gidNumber: 0 gidNumber: 3 Error : adding new entry "uid=adm,ou=People,dc=grow" ldap_add: Constraint violation additional info: gidNumber: multiple values provided Or tried replacing gidNumber with uidNumber. It still doesnt work. Any help is highly appreciated. Thanks, Pooja ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

2 1

Read encrypted userPassword from Mysql
by jbeezer02 06 May '08

06 May '08

I have been struggling with this for days now, trying different setups to no avail. I have openldap 2.3.40 installed and functioning (at least enough to read) with a mysql backend that is configured through unixODBC. I want to map the 'userPassword' attribute to a Mysql view that will contain the information from our other Mysql databases, such as username, name_first, password, salt, etc. Now the problem becomes how to read the encrypted format of our passwords. Our passwords are stored in Mysql the following way- /UPDATE user SET salt="'.$salt.'", password=SHA1(AES_ENCRYPT("'.$string.'","'.$salt.'")) WHERE id='.$this->id /where salt is generated by- /$salt = substr(md5(uniqid(rand(), true)), 0, 64); /Now I know that openldap doesn't support AES_ENCRYPTION, however it does support SHA. Now, the problem with this setup seems to be that I can't find a way to un-SHA the passwords, and then have it do an AES_DECRYPT. So I have been trying to switch the SHA and AES around so that, when a password is stored it is actually SHA encrypted first, and then AES_ENCRYPTED over top of that (granted, not quite as secure). I think that would enable me to use the AES_DECRYPT function in my 'ldap_attr_mappings' table to read the decrypted AES passwords, and then just check them with SHA. I have been trying to figure out all the base64 encoding that I have to mess with to read the encrypted formats, with not much luck. Has anyone done anything similar to this before? Is there a better way to read our encrypted Mysql passwords? This ldap is going to be used for VPN authentication, so I'm not concerned with writing data to it, just need to be able to read a users password. Thanks.

1 0

bdb_add: parent does not exist
by Rakesh Yadav 06 May '08

06 May '08

Hi */usr/local/libexec/slapd -n super -4 -V -d 1 & *Output: [1] 32204 [root@super ~]# @(#) $OpenLDAP: slapd 2.3.39 (May 6 2008 19:56:13) $ root@super:/root/ums/openldap-2.3.39/servers/slapd @(#) $OpenLDAP: slapd 2.3.39 (May 6 2008 19:56:13) $ root@super:/root/ums/openldap-2.3.39/servers/slapd daemon_init: listen on ldap:/// daemon_init: 1 listeners to open... ldap_url_parse_ext(ldap:///) daemon: listener initialized ldap:/// daemon_init: 1 listeners opened super init: initiated server. bdb_back_initialize: initialize BDB backend bdb_back_initialize: Sleepycat Software: Berkeley DB 4.3.29: (September 12, 2006) hdb_back_initialize: initialize HDB backend hdb_back_initialize: Sleepycat Software: Berkeley DB 4.3.29: (September 12, 2006) bdb_db_init: Initializing BDB database >>> dnPrettyNormal: <dc=my-domain,dc=com> <<< dnPrettyNormal: <dc=my-domain,dc=com>, <dc=my-domain,dc=com> >>> dnPrettyNormal: <cn=Manager,dc=my-domain,dc=com> <<< dnPrettyNormal: <cn=Manager,dc=my-domain,dc=com>, <cn=manager,dc=my-domain,dc=com> >>> dnNormalize: <cn=Subschema> <<< dnNormalize: <cn=subschema> matching_rule_use_init 1.2.840.113556.1.4.804 (integerBitOrMatch): matchingRuleUse: ( 1.2.840.113556.1.4.804 NAME 'integerBitOrMatch' APPLIES ( supportedLDAPVersion $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcDbCacheFree $ olcDbCacheSize $ olcDbIDLcacheSize $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $ olcSpSessionlog $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber ) ) 1.2.840.113556.1.4.803 (integerBitAndMatch): matchingRuleUse: ( 1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' APPLIES ( supportedLDAPVersion $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcDbCacheFree $ olcDbCacheSize $ olcDbIDLcacheSize $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $ olcSpSessionlog $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber ) ) 1.3.6.1.4.1.1466.109.114.2 (caseIgnoreIA5Match): matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' APPLIES ( altServer $ mail $ dc $ associatedDomain $ email $ aRecord $ mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $ janetMailbox $ gecos $ homeDirectory $ loginShell $ memberUid $ memberNisNetgroup $ ipHostNumber $ ipNetworkNumber $ ipNetmaskNumber $ macAddress $ bootFile $ nisMapEntry ) ) 1.3.6.1.4.1.1466.109.114.1 (caseExactIA5Match): matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' APPLIES ( altServer $ mail $ dc $ associatedDomain $ email $ aRecord $ mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $ janetMailbox $ gecos $ homeDirectory $ loginShell $ memberUid $ memberNisNetgroup $ ipHostNumber $ ipNetworkNumber $ ipNetmaskNumber $ macAddress $ bootFile $ nisMapEntry ) ) 2.5.13.35 (certificateMatch): matchingRuleUse: ( 2.5.13.35 NAME 'certificateMatch' APPLIES ( userCertificate $ cACertificate ) ) 2.5.13.34 (certificateExactMatch): matchingRuleUse: ( 2.5.13.34 NAME 'certificateExactMatch' APPLIES ( userCertificate $ cACertificate ) ) 2.5.13.30 (objectIdentifierFirstComponentMatch): matchingRuleUse: ( 2.5.13.30 NAME 'objectIdentifierFirstComponentMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ ldapSyntaxes $ supportedApplicationContext ) ) 2.5.13.29 (integerFirstComponentMatch): matchingRuleUse: ( 2.5.13.29NAME 'integerFirstComponentMatch' APPLIES ( supportedLDAPVersion $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcDbCacheFree $ olcDbCacheSize $ olcDbIDLcacheSize $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $ olcSpSessionlog $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber ) ) 2.5.13.27 (generalizedTimeMatch): matchingRuleUse: ( 2.5.13.27 NAME 'generalizedTimeMatch' APPLIES ( createTimestamp $ modifyTimestamp ) ) 2.5.13.24 (protocolInformationMatch): matchingRuleUse: ( 2.5.13.24 NAME 'protocolInformationMatch' APPLIES protocolInformation ) 2.5.13.23 (uniqueMemberMatch): matchingRuleUse: ( 2.5.13.23 NAME 'uniqueMemberMatch' APPLIES uniqueMember ) 2.5.13.22 (presentationAddressMatch): matchingRuleUse: ( 2.5.13.22 NAME 'presentationAddressMatch' APPLIES presentationAddress ) 2.5.13.20 (telephoneNumberMatch): matchingRuleUse: ( 2.5.13.20 NAME 'telephoneNumberMatch' APPLIES ( telephoneNumber $ homePhone $ mobile $ pager ) ) 2.5.13.17 (octetStringMatch): matchingRuleUse: ( 2.5.13.17 NAME 'octetStringMatch' APPLIES userPassword ) 2.5.13.16 (bitStringMatch): matchingRuleUse: ( 2.5.13.16 NAME 'bitStringMatch' APPLIES x500UniqueIdentifier ) 2.5.13.14 (integerMatch): matchingRuleUse: ( 2.5.13.14 NAME 'integerMatch' APPLIES ( supportedLDAPVersion $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcDbCacheFree $ olcDbCacheSize $ olcDbIDLcacheSize $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $ olcSpSessionlog $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber ) ) 2.5.13.13 (booleanMatch): matchingRuleUse: ( 2.5.13.13 NAME 'booleanMatch' APPLIES ( hasSubordinates $ olcGentleHUP $ olcLastMod $ olcReadOnly $ olcReverseLookup $ olcDbNoSync $ olcDbDirtyRead $ olcDbLinearIndex $ olcSpNoPresent $ olcSpReloadHint ) ) 2.5.13.11 (caseIgnoreListMatch): matchingRuleUse: ( 2.5.13.11 NAME 'caseIgnoreListMatch' APPLIES ( postalAddress $ registeredAddress $ homePostalAddress ) ) 2.5.13.8 (numericStringMatch): matchingRuleUse: ( 2.5.13.8 NAME 'numericStringMatch' APPLIES ( x121Address $ internationaliSDNNumber ) ) 2.5.13.7 (caseExactSubstringsMatch): matchingRuleUse: ( 2.5.13.7 NAME 'caseExactSubstringsMatch' APPLIES ( serialNumber $ destinationIndicator $ dnQualifier ) ) 2.5.13.6 (caseExactOrderingMatch): matchingRuleUse: ( 2.5.13.6 NAME 'caseExactOrderingMatch' APPLIES ( serialNumber $ destinationIndicator $ dnQualifier ) ) 2.5.13.5 (caseExactMatch): matchingRuleUse: ( 2.5.13.5 NAME 'caseExactMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcInclude $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcSizeLimit $ olcSrvtab $ olcSubordinate $ olcSyncrepl $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbConfig $ olcDbIndex $ olcDbLockDetect $ olcSpCheckpoint $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $ physicalDeliveryOfficeName $ destinationIndicator $ givenName $ initials $ generationQualifier $ dnQualifier $ houseIdentifier $ dmdName $ pseudonym $ textEncodedORAddress $ info $ drink $ roomNumber $ userClass $ host $ documentIdentifier $ documentTitle $ documentVersion $ documentLocation $ personalTitle $ co $ uniqueIdentifier $ organizationalStatus $ buildingName $ documentPublisher $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ preferredLanguage $ ipServiceProtocol $ nisMapName $ uName $ upwd ) ) 2.5.13.4 (caseIgnoreSubstringsMatch): matchingRuleUse: ( 2.5.13.4 NAME 'caseIgnoreSubstringsMatch' APPLIES ( serialNumber $ destinationIndicator $ dnQualifier ) ) 2.5.13.3 (caseIgnoreOrderingMatch): matchingRuleUse: ( 2.5.13.3 NAME 'caseIgnoreOrderingMatch' APPLIES ( serialNumber $ destinationIndicator $ dnQualifier ) ) 2.5.13.2 (caseIgnoreMatch): matchingRuleUse: ( 2.5.13.2 NAME 'caseIgnoreMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcInclude $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcSizeLimit $ olcSrvtab $ olcSubordinate $ olcSyncrepl $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbConfig $ olcDbIndex $ olcDbLockDetect $ olcSpCheckpoint $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $ physicalDeliveryOfficeName $ destinationIndicator $ givenName $ initials $ generationQualifier $ dnQualifier $ houseIdentifier $ dmdName $ pseudonym $ textEncodedORAddress $ info $ drink $ roomNumber $ userClass $ host $ documentIdentifier $ documentTitle $ documentVersion $ documentLocation $ personalTitle $ co $ uniqueIdentifier $ organizationalStatus $ buildingName $ documentPublisher $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ preferredLanguage $ ipServiceProtocol $ nisMapName $ uName $ upwd ) ) 1.2.36.79672281.1.13.3 (rdnMatch): 2.5.13.1(distinguishedNameMatch): matchingRuleUse: ( 2.5.13.1 NAME 'distinguishedNameMatch' APPLIES ( creatorsName $ modifiersName $ subschemaSubentry $ namingContexts $ aliasedObjectName $ distinguishedName $ seeAlso $ olcDefaultSearchBase $ olcRootDN $ olcSchemaDN $ olcSuffix $ olcUpdateDN $ member $ owner $ roleOccupant $ manager $ documentAuthor $ secretary $ associatedName $ dITRedirect ) ) 2.5.13.0 (objectIdentifierMatch): matchingRuleUse: ( 2.5.13.0 NAME 'objectIdentifierMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ supportedApplicationContext ) ) super startup: initiated. backend_startup_one: starting "cn=config" config_back_db_open config_build_entry: "cn=config" config_build_entry: "cn=include{0}" config_build_entry: "cn=include{1}" config_build_entry: "cn=include{2}" config_build_entry: "cn=include{3}" config_build_entry: "cn=include{4}" config_build_entry: "cn=schema" config_build_entry: "cn={0}core" config_build_entry: "cn={1}cosine" config_build_entry: "cn={2}inetorgperson" config_build_entry: "cn={3}nis" config_build_entry: "cn={4}ums" config_build_entry: "olcDatabase={-1}frontend" config_build_entry: "olcDatabase={0}config" config_build_entry: "olcDatabase={1}bdb" backend_startup_one: starting "dc=my-domain,dc=com" bdb_db_open: dbenv_open(/usr/local/var/openldap-data) slapd starting ======================================================== *ums.schema : *attributetype ( 1.3.6.1.4.1.6863.2.3.200 NAME ( 'uName' ) DESC 'group owner id of gfs user' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributetype ( 1.3.6.1.4.1.6863.2.3.201 NAME ( 'upwd' ) DESC 'group owner id of gfs user' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) objectclass ( 1.3.6.1.4.1.6863.2.4.150 Name 'umsUser' DESC 'gfs group information' SUP top STRUCTURAL MUST ( uName $ upwd ) ) * *================================================* *slapd.conf :* *# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/ums.schema # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args # Load dynamic backend modules: # modulepath /usr/local/libexec/openldap # moduleload back_bdb.la # moduleload back_ldap.la # moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la ####################################################################### # BDB database definitions ####################################################################### database bdb suffix "dc=my-domain,dc=com" rootdn "cn=Manager,dc=my-domain,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /usr/local/var/openldap-data # Indices to maintain index objectClass eq ================================================================ *ums.ldif : *dn: uName=rkyadav,dc=my-domain,dc=com objectClass: top objectClass: umsUser uName: rkyadav upwd: rkyadav123 * *==============================================================* * *ldapadd -x -h "super" -D "cn=Manager,dc=my-domain,dc=com" -w "secret" -f ums.ldif *Output : >>> slap_listener(ldap:///) connection_get(11): got connid=0 connection_read(11): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 48 contents: ber_get_next do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt (m}) ber: >>> dnPrettyNormal: <cn=Manager,dc=my-domain,dc=com> <<< dnPrettyNormal: <cn=Manager,dc=my-domain,dc=com>, <cn=manager,dc=my-domain,dc=com> do_bind: version=3 dn="cn=Manager,dc=my-domain,dc=com" method=128 do_bind: v3 bind: "cn=Manager,dc=my-domain,dc=com" to "cn=Manager,dc=my-domain,dc=com" send_ldap_result: conn=0 op=0 p=3 send_ldap_response: msgid=1 tag=97 err=0 ber_flush: 14 bytes to sd 11 adding new entry "cn=Barbara J Jensen,dc=my-domain,dc=com" connection_get(11): got connid=0 connection_read(11): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 128 contents: ber_get_next do_add ber_scanf fmt ({m) ber: >>> dnPrettyNormal: <cn=Barbara J Jensen,dc=my-domain,dc=com> <<< dnPrettyNormal: <cn=Barbara J Jensen,dc=my-domain,dc=com>, <cn=barbara j jensen,dc=my-domain,dc=com> ber_scanf fmt ({m{W}}) ber: ber_scanf fmt ({m{W}}) ber: ber_scanf fmt ({m{W}}) ber: ber_scanf fmt (}) ber: bdb_dn2entry("cn=barbara j jensen,dc=my-domain,dc=com") => bdb_dn2id("dc=my-domain,dc=com") <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989) oc_check_required entry (cn=Barbara J Jensen,dc=my-domain,dc=com), objectClass "person" oc_check_allowed type "cn" oc_check_allowed type "objectClass" oc_check_allowed type "sn" oc_check_allowed type "structuralObjectClass" oc_check_allowed type "entryUUID" oc_check_allowed type "creatorsName" oc_check_allowed type "createTimestamp" oc_check_allowed type "entryCSN" oc_check_allowed type "modifiersName" oc_check_allowed type "modifyTimestamp" bdb_dn2entry("cn=barbara j jensen,dc=my-domain,dc=com") => bdb_dn2id("dc=my-domain,dc=com") <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989) *is_entry_objectclass("", "2.16.840.1.113730.3.2.6") no objectClass attribute* *bdb_add: parent does not exist* send_ldap_result: conn=0 op=1 p=3 send_ldap_response: msgid=2 tag=105 err=32 ber_flush: 14 bytes to sd 11 *ldapadd: No such object (32)* connection_get(11): got connid=0 connection_read(11): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 5 contents: ber_get_next do_unbind connection_closing: readying conn=0 sd=11 for close connection_resched: attempting closing conn=0 sd=11 connection_close: conn=0 sd=11 =============================================================== Please tell me why i m geeting this error? If there is a problem then where it is ? Thanks -- Rakesh Yadav Pune.

2 1

backend shell error
by Chris Henderson 05 May '08

05 May '08

I have compiled OpenLDAP v2.4.8 (./configure --enable-backends=yes --enable-overlays=yes) and trying to put a shell script on my slapd.conf to parse LDAP queries. But when I run slaptest I get: "unknown directive <search> inside backend database definition" error. Here is my slapd.conf - include /usr/local/etc/openldap/schema/core.schema pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args Allow bind_v2 access to dn.base="" by * read access to * by * read backend shell database ldap suffix "dc=activedirectory,dc=domain,dc=tld" uri "ldap://activedirectory.domain.tld" search shell_script.sh Any help on this would be much appreciated. Thanks.

2 1

back_ldap.la on Fedora
by Chris Henderson 05 May '08

05 May '08

I am running OpenLDAP 2.3.37 on Fedora Linux; I need the "back_ldap.la" module for a backend shell script but it doesn't come with my version of OpenLDAP and I am unable to find this module anywhere else on the Internet. Would anyone know how I am going to install this module on my computer? Thanks for any help.

2 2

Problem to start openldapldap
by youness hsina 05 May '08

05 May '08

Hi all, i'm new to LDAP, i'm trying to make an Openldap server in FreeBSD, my problem is : i can't get start this server . even the file syslog i can't find it here is my debug.log file : *May 2 09:51:30 stavril slapd[967]: @(#) $OpenLDAP: slapd 2.3.41 (Apr 25 2008 14:56:51) $ root(a)stavril.gtr.iut-velizy.uvsq.fr: /usr/ports/net/openldap23-server/work/openldap-2.3.41/servers/slapd May 2 09:51:30 stavril slapd[967]: connections_destroy: nothing to destroy. May 2 09:51:30 stavril slapd[967]: /usr/local/etc/openldap/slapd.conf: line 83: <database> failed init (bdb)! May 2 09:51:30 stavril slapd[967]: slapd stopped. May 2 10:04:13 stavril slapd[55570]: connections_destroy: nothing to destroy. May 2 11:15:17 stavril slapd[62838]: @(#) $OpenLDAP: slapd 2.3.41 (Apr 25 2008 14:56:51) $ root(a)stavril.gtr.iut-velizy.uvsq.fr: /usr/ports/net/openldap23-server/work/openldap-2.3.41/servers/slapd May 2 11:15:17 stavril slapd[62838]: daemon: getaddrinfo() failed: hostname nor servname provided, or not known May 2 11:15:17 stavril slapd[62838]: slapd stopped. May 2 11:15:17 stavril slapd[62838]: connections_destroy: nothing to destroy.* is any one have ths same problem, please i need your help best regards uness

2 1

Disk Quota with LDAP
by Shafiqul Abedin 04 May '08

04 May '08

Hello All: I am new to this forum. If I am making any mistakes, please let me know. After searching google a million times, I am finally asking you guys. How do I set disk quota with LDAP? Is it possible to do it at all? Any docuentation? Any help? I am new to LDAP. Please help. Thanks ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

2 1

Tony Earnshaw, 29/02/40 - 29/04/08
by Ace Suares 04 May '08

04 May '08

Dear List, Tony Earnshaw, active member of this list, has passed away last Tuesday. About a month ago he was diagnosed with stage 5 lung cancer and within a very short time Tony left us. Tony's body will be cremated Monday 5th of May in Amsterdam. For those who want to express their feelings, please visit http://www.xs4all.nl/~snore/tony If among you there are people who want to have more information, send me an email at ace(a)suares.an and I will forward it to the kind people that take care of his affairs. With Sadness, Ace Suares

1 0

query Active Directory
by Chris Henderson 04 May '08

04 May '08

I am querying AD to get the first proxyaddresses:smtp field with only the username but it is giving me lots of other information that I don't really need. I was wondering if it is be possible to filter the query in slapd.conf to give me what I need. Here's my slapd.conf Allow bind_v2 access to dn.base="" by * read access to * by * read database ldap suffix "dc=ad3,dc=merog,dc=org" uri "ldap://ad3.merog.org" query_filter=(PROXYADDRESSES :smtp:%s@*) cachesize 10000 sizelimit unlimited I am querying for PROXYADDRESSES which comes like this: PROXYADDRESSES: smtp:username@merog.org - I only want the "username" bit. Here's my query: ldapsearch -x -h ad3.merog.org -b "dc=ad3,dc=merog,dc=org" cn="user name" I don't want to use any sed, awk script to achieve the result. Just would like to use openldap itself if that's at all possible. Thanks for any help.

4 6

Authentication Problem Regarding aliasedObjectName
by Christian Felsing 02 May '08

02 May '08

Hello, my installation has two OUs, one contains real inetOrgPerson objects, other one contains aliases to the first OU. First OU contains DNs which are not acceptable to a specific application (pls. don't ask me why) so 2nd OU was introduced with DNs which are acceptable to that application. Unfortunally, authentication to an alias seems to be not possible, because that application is not able to do dereferencing. OU1: # 007(a)x86.be, freemail, my.net dn: uid=007(a)example.com,ou=mail,dc=my,dc=net objectClass: top objectClass: inetOrgPerson uid: 007(a)x86.be cn: testuser Application does not like DN "uid=007(a)example.com,ou=mail,dc=my,dc=net" but other applications depend on it. So following was introduced: OU2: # testuser, members, my.net dn: uid=testuser,ou=members,dc=my,dc=net objectClass: top objectClass: alias objectClass: extensibleObject uid: testuser aliasedObjectName: uid=007(a)example.com,ou=mail,dc=my,dc=net That application would accept DN "uid=testuser,ou=members,dc=my,dc=net", but is not able to dereference that to "uid=007(a)example.com,ou=mail,dc=my,dc=net" :-( Is there a way to let a proxy do dereferencing an aliasedObjectName to "real" object, so that application may be able to authenticate to that proxy ? best regards Christian

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical May 2008