Yesterday I see a lot of
"Apr 6 16:08:20 xen-ldap01 slapd: <= bdb_equality_candidates:
(objectClass) not indexed"
in my OpenLDAP provider server log. After searching in docs
(http://www.openldap.org/faq/data/cache/42.html), I applied
index objectClass eq
instead of previous
#index objectClass eq
and restart the service.
The suprise has been when a few users cannot login in system through
LDAP validation this morning. The errors in log (in client logs) was:
Apr 9 09:11:13 hc23 sshd: pam_ldap: error trying to bind as user
"uid=ivan,ou=SAT,ou=Tecnic,dc=my_company,dc=com" (Invalid credentials)
Apr 9 09:11:13 hc23 sshd: error: PAM: authentication error for
illegal user ivan from XXX.XXX.XXX.XXX
The solution has been easy: comment the "index objectClass eq" parameter
again in slapd conf file.
¿Why it happens? I wonder it. Maybe some cache-related issue...
Jordi Espasa Clofent
I have configured openldap for SSO. Now I am authenticating all of my linux
boxes with this SSO. Now I have requirement that my root user should not
authenticate through this SSO. Rest of all users should authenticate through
Can any one have any suggestion for this.
I will be co-presenting a talk at the MySQL Conference on Thursday April 23 in
Santa Clara, California on the back-ndb backend in OpenLDAP. Johan Andersson
from Sun/MySQL will also be presenting; Symas and MySQL worked together to
design the data model for this backend.
back-ndb is a new OpenLDAP slapd backend that provides direct access to
MySQL's NDB Cluster engine. The NDB Cluster design allows concurrent access to
relational tables from multiple access methods (including mysqld for
traditional SQL access, and slapd for LDAP access) and allows capacity to
scale horizontally across multiple data nodes. The OpenLDAP backend uses the
native NDBAPI to achieve high speed access without any SQL translation
overhead. Multiple slapd servers can operate concurrently on an NDB database,
along with other mysqld servers and other agents, allowing performance to be
augmented linearly simply by adding more nodes to a cluster.
This will be slightly more in-depth than the back-ndb talk I presented at the
UKUUG conference in March.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
On Tue, Apr 7, 2009 at 5:51 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> --On Tuesday, April 07, 2009 11:31 AM -0300 Norberto Bensa
> <nbensa(a)gmail.com> wrote:
>> This is OT to this list, but "net rpc vampire" will do what you want.
>> Consult the samba docs/mailing list.
> I don't see why this is off topic. The -technical list is about
> interoperability of OpenLDAP with other applications.
Thanks. I thought this list was openldap-only questions.
Hi, does anyone know how can i export users, groups and machines from a
WinNT 4.0 PDC and put this informations in my OpenLDAP+SAMBA(PDC)?
Nathaniel Simch de Morais
°v° "Você acha que é livre se o |
/(_)\ Software que você usa |
^ ^ nao é?" |
Eu uso BrOffice.org!!!
Eu uso Mozilla Firefox!!!
[kylec@localhost ~]$ ldapsearch -v -H ldap://localhost -x -b
ldap_initialize( ldap://localhost )
requesting: All userApplication attributes
# extended LDIF
# base <cn=Users,dc=company,dc=internal> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
# search result
result: 1 Operations error
text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this
ration a successful bind must be completed on the connection., data 0, vece
# numResponses: 1
Here's a quick question, if you need to expose one MySQL db as LDAP for example, using the existing db that has customer records in it and a 3rd party application can look up via LDAP, do you use bog standard back-sql or back-ndb just use one db, as it looks easier to setup?
Going by Howards talk at UKUUG 2009:
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
Open Source. Open Solutions(tm).
Suretec Systems is a limited company registered in Scotland. Registered
number: SC258005. Registered office: 13 Whiteley Well Place, Inverurie,
Aberdeenshire, AB51 4FP.
Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html
Note sure if this is the right list ?
I have a new OpenLdap (version 2.3) Server that uses Kerberos for Password
Authentication, which is going to be a Replacement for NIS (YP)
All Normal access works fine and users can login , access automount maps
However there are 2 types of Ldap binding
At the moment any body can run the following
I would like to try and disable Simple Binding
But if I select "disallow bind_anon" in slapd.conf file
Things start to break like authentication stops working.
Apr 1 15:42:15 apricot sudo: pam_ldap: error trying to bind
Apr 1 15:42:18 apricot sudo: pam_ldap: error trying to bind
Apr 1 15:42:25 apricot sudo: pam_ldap: ldap_result Can't contact
How do I get a Machine to authenticate to Ldap ?
I think the problem lies with nss_ldap ?
When I add the following line to /etc/ldap.conf
I start to get the following error's
Apr 2 14:09:11 bruce vmware-guestd: nss_ldap: reconnecting to LDAP server
(sleeping 4 seconds)...
Apr 2 14:09:15 bruce vmware-guestd: nss_ldap: reconnecting to LDAP server
(sleeping 8 seconds)...
Apr 2 14:09:18 bruce nscd: nss_ldap: reconnecting to LDAP server
(sleeping 16 seconds)...
Apr 2 14:27:06 bruce sshd: pam_ldap: ldap_starttls_s: Operations error
Apr 2 14:27:06 bruce sshd(pam_unix): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=apricot.uk.ad.ep.corp.local
Apr 2 14:27:06 bruce sshd: pam_krb5: authentication
succeeds for'mgarrett' (mgarrett(a)UK.AD.EP.CORP.LOCAL)
Can any body point me in the right direction
Server is RedHat 5.3
Clients are RedHat 4.7
Copy of slapd.conf
# Allow LDAPv2 client connections. This is NOT the default.
## security - other directives
## prevents anonymous access to
## any connection
## forces a bind operation before DIT access
## Use of reads on ldaps only port forces use
## of TLS/SSL but not a minimum value
## this directive forces a minimum value
# Map SASL authentication DNs to LDAP DNs
# This leaves "username/admin" principals untouched
# This should be a ^ plus, not a star, but slapd won't accept it
# Default read access for everything else except anonymous users who have
no access but does not work. !
access to *
by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write
by * read
#by anonymous none
Senior IS Technical Analyst
Tel: 01224 297889
Fax: 01224 296806
Total E&P UK, Crawpeel Road, Altens Industrial Estate, Aberdeen AB12 3FG
Registered in England and Wales No.811900
Registered Office 33 Cavendish Square, London W1G 0PW
This e-mail and any attachments are intended only for the person or entity
to whom it is addressed and may contain confidential or privileged
information. If you are not the addressee, any disclosure, reproduction,
copying, distribution, or use of this communication is strictly prohibited.
If you are not the intended recipient or person responsible for delivering
this message to the named addressee, please notify us immediately and delete
It is the responsibility of the addressee to scan this email and any
attachments for computer viruses or other defects. The sender does not
accept liability for any loss or damage of any nature, however caused,
which may result directly or indirectly from this email or any file attached.
I'm trying to do sasl authentication against an active directory server.
In the second sasl bind request sent to AD, the ip address of the AD server is used as the digest-uri. e.g. "ldap/192.168.1.1". Isn't it supposed to use domain name like "ldap/svr.example.com"?
I used "ldapsearch -Y DIGEST-MD5". And in ldap.conf, "uri" and "host" are given in domain names.
Any help will be appreciated.
View your Twitter and Flickr updates from one place – Learn more!