implicit context attribute in add request
by Wolfgang Bergbauer
Hi all,
I have a problem with the standard JNDI LDAP bind request and wanted to
know if OpenLdap behaves differently:
e.g.
when creating and object with a LDAP addRequest with a context of
umObjectGUID=0, OU=People, DC=avaya
then I will automatically get a attribute: umObjectGUID with value "0".
So this is implicit, I do not specify this attribute. Unfortunately the
ldap server then responds that this attribute is readOnly.
Can anyone tell me if OpenLdap also add this implicit context
attribute, or perhaps what other options do I have here?
Thanks a lot,
Wolfgang
12 years, 8 months
ACL's for admin users
by Aravind Arjunan
hi,
In my openldap i created a OU called india
under this ou there are many users and one administrator as admin.
I want this admin user to add and modify the users details only in this ou.
for that i need to set the access control list.
Can any one plz help me how to set acl's for this case.
Remaining users have only read only permissions.
eg:
ou=india
cn=admin---administrator
cn=sachin
cn=rahul
cn=saurav
cn=anil
12 years, 8 months
allow admin group to write excluding specific users
by Stelios A.
Hello,
I have a group called IT and another one called LDAP Admins. There are
5 users under IT and 2 under LDAP Admins.
I'm looking for an acl where members of IT (groupOfUniqueNames) can
modify/write anywhere under ou=Users.... apart from those users under
the LDAP Admins group.
Can anyone give me a help about this please.
I've found only how to give access to IT group but not how to exclude
LDAP Admins (2 in total) where those 2 exist also under IT group.
Any ideas?
Thanks
12 years, 8 months
Re: mail Routing thorugh openldap attribute
by Santosh Balan
Hi,
Create an MX record in your DNS server with the IP of the server, to which you need to divert your mails to and then give the host's name in mailHost attribute of LDAP.
Regards
Santosh Balan
> ----- Original Message -----
> From: "Dieter Kluenter" <dieter(a)dkluenter.de>
> To: openldap-technical(a)openldap.org
> Subject: Re: mail Routing thorugh openldap attribute
> Date: Thu, 07 Aug 2008 14:18:31 +0200
>
>
> "Aravind Arjunan" <aravind.arjunan(a)gmail.com> writes:
>
> > hi,
> >
> > I had configured mailserver in postfix and integrated openldap with postfix.
> > All my users information is in openldap.
> >
> > Now i need to route my mail for particular user to his respective mail box.
> > eg:
> [...]
> >
> > So when i send mail to user1 , it will first check the mail
> > address is correct or not from ldap entries
> > and check mailHost for the particular user and must go the
> > particular SMTP server where i had mentioned
> > in mailHost attribute in ldap.
> >
> > But for me it is checking the mailHost attribute and i had
> > mentioned the IP of the SMTP server in my LDAP
> > for mailHost attribute.So for me it checks the mailHost attribute
> > and delivering the mail in the same
> > SMTP server by creating the IP as the username and droping the mail
> >
> > Any body plz guide me home to route the mail to the particular user
> > .
>
> http://www.postfix.org/LDAP_README.html
>
> -Dieter
>
> --
> Dieter Klünter | Systemberatung
> http://www.dkluenter.de
> GPG Key ID:8EF7B6C6
> 53°08'09,95"N
> 10°08'02,42"E
>
=
--
Powered by Outblaze
12 years, 8 months
Help with authz-regexp mapping kerberos identity to dn ....SASL
by Chavez, James R.
Hello all,
My plan is to use Kerberos and LDAP as a replacement for NIS.
My issue is that I need my kerberos credentials to map to a user in LDAP
so I can avoid permission issues when logging in with kerberos creds.
All the perms are based on the UNIX/LDAP users and groups. Thing is the
user id's are different between kerberos and LDAP.
The kerberos names consist of firstname_lastname@REALM. The ldap entries
are in the format of standard Unix user names or first letter of first
name and up to 7 characters of the last name (jmontana). I migrated the
LDAP entries from my existing NIS maps.
Now I understand that I can use SASL and authz-regexp in slapd.conf to
map these id's. Please correct me if I am wrong.
I added all the corresponding "krbName: first_last@REALM" to the users
when I added them to the LDAP directory.
For example for user Joe Montana..His ldap dn is "dn:
uid=jmontana,ou=People,dc=test,dc=example,dc=com"
His uid is "uid: jmontana
And his Krb name is ""krbName: joe_montana(a)TEST.EXAMPLE.COM"
I think all the data is there to get a mapping I just am unsure of the
auth-regexp strings I need to add to the slapd.conf file.
Does anyone out there have any experience with this and better yet
provide the string or example of what strings I can use?
I have searched the net on how to authenticate with kerberos and
effictively login with a local id but have been unsuccessful in my
search.
Appreciate any help.
Thank You
James
CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.
12 years, 8 months
Updating password in slave ldap server
by Gustavo Mendes de Carvalho
Hi All,
I have 2 LDAP Servers (1 master and 1 slave) and I synchronize bdb database
by slurp daemon. So, when somebody needs to update his/her password or other
information, everything is done in master server and then slave server
receives this updates. This 2 servers are in the same physical place.
Now I am planning to put another LDAP slave in other geographical place (far
from this 2 servers) and because of that I am planning to put some slave
server receiving all updates from master server, but in all ldap client
machines in this new location I would like to configure this new slave
server (Slave server 2) as URI host in ldap.conf files. I mean
Location 1: Master server 1 and slave server 1
Location 2: Slave server 2
Is there any way to do:
1. ldap client machines in location 2 to authenticate using Slave server 2 ?
2. when client machines needs to change some ldap information (like password
or personal information), to force this update to occurs in slave server 2
and then master server 1 receives this uodate ?
Do I have to use 2 Master servers (1 in each location) ? If yes, can I
synchronize both BDB databases ? How ? Any other suggestions ?
Thanks in advance
---
Gustavo Mendes de Carvalho
email: gmcarvalho(a)gmail.com
12 years, 8 months
using query filter with dynlist attributes
by Rahul Amaram
Hi,
I would like to know if it is possible to use the dynamic attributes
(obtained by dynlist overlay), in a ldapsearch query filter. I have
tried using it but it does not seem to be working. Is there any fix for
this or is there any other overlay which will allow me to perform an
operation similar to sql join across different DN?
Thanks and Regards,
Rahul.
12 years, 8 months
RE: LDAP Group Membership Scalability
by Jeff Sussna
Fantastic! What I was hoping/expecting to hear :-).
________________________________________
From: Gavin Henry [ghenry(a)OpenLDAP.org]
Sent: Friday, August 08, 2008 4:57 PM
To: Jeff Sussna
Cc: openldap-technical(a)openldap.org
Subject: Re: LDAP Group Membership Scalability
Jeff Sussna wrote:
> I am looking into using OpenLDAP to manage users and groups for my
> system. A single group may contain up to 50,000 users. Does the LDAP
> group membership mechanism suffer any scalability problems at that size?
>
> ---------------------------------------------------------------
> Jeff Sussna
>
No. Some fortune 50s have every employee in an OpenLDAP Dynamic Group.
--
Kind Regards,
Gavin Henry.
OpenLDAP Engineering Team.
E ghenry(a)OpenLDAP.org
Community developed LDAP software.
http://www.openldap.org/project/
12 years, 8 months
LDAP Group Membership Scalability
by Jeff Sussna
I am looking into using OpenLDAP to manage users and groups for my
system. A single group may contain up to 50,000 users. Does the LDAP
group membership mechanism suffer any scalability problems at that size?
---------------------------------------------------------------
Jeff Sussna
12 years, 8 months