I have installed openldap about two months ago, everything went ok and now I
need passwords policies. Theese are working as spected but pwdCheckModule.
In `man slapo-ppolicy` I have read this is an user-defined module... This is
a problem for me... A long time ago I think I was able to do this without
too much problems but now by now I must read "C++ Bible" to understand
this... Is there any sample, or configurable module for this? Every body do
this bi itself?
thanks in advance ;)
I'm on Ubuntu 8.10, and using openldap 2.4.11.
I successfully installed openldap on my server.
I was a little bit surprised because i didn't found slapd.conf on /etc/ldap/
like in older releases, but I found a tuto explaining how to use slapd.d.
On this howto, they sepcified it is possible to convert slapd.conf to
slapd.d using slaptest.
Because I don't have slapd.conf, I cannot convert anything.
So, How can I do???
Secondly, on the tutorial, I used slaptest to create a ldif for a schema.
I successfully added the ldif schema to openldap using ldapadd, and schema
It was mozillaorgperson, and I'm now able to create, read and modify users.
My problem is that I need to use a new schema "rfc2703bis.schema" because my
openldap server is for egroupware, and there is a problem with
PosixGroup...... So I need to add it.
This schema should replace nis schema.
BUT, I cannot delete NIS schema, because used by open ldap.
And cannot add rfc2703bis because I have errors "already exists" <--- it is
logical because entries are on NIS which is active on openldap at this time.
So I tried a lot of things, like using slaptest to create de ldif, copying
it widely to slapd.d and removing by hand the NIS schema.... Not working,
the result is that now, the openldap server cannot start....
Is there a clean way to do that???
Is it possible for me to create a slapd.conf, put inside all my
configuration, do the slaptest, have a clean slapd.d and run openldap???? in
a simple way.
What to put inside...???
Thanks a lot for you help
I am having a problem with what appears (to me) to be 'stale' TCP
connections for syncrepl between the master and a pair of slaves. After
restarting all, I see changes on the master replicated to both slaves.
BUT, if I wait about 30 minutes or more, then make a change, the
replication fails (most of the time). netstat on the LDAP port show the
connections still established, but queued packets at the master server.
After about 15 minutes, the master server drops the connection. An
overnight tcpdump on the master showed LDAP occasionally sending a
keep-alive, with 2hrs between the keep-alive messages (these keep-alives
are inconsistent, though, some nights I see none).
I am running Red Hat EL5 and Openldap 2.3.43 on all servers with no TLS
or SASL (in our integration/test facility).
I don't see anything in the documentation pertaining to keep-alives,
other than ITS#4708 for 2.3.38.
Here's the syncrepl for one slave:
retry="30 10 300 3"
The other slave's slapd.conf is indentical except rid=002.
On the master I have:
syncprov-checkpoint 100 30
Note: The 2 slaves are running on blades in an IBM chassis, and the
master is on a 1U Linux server, just 'one-hop' away. Prior to this,
when I had a master/slave pair running on the blades, syncRepl was
working fine for several months. It was not until I moved the master to
the another server did the failures start.
Thanks in advance for any help or info.
This message is confidential to Prodea Systems, Inc unless otherwise indicated
or apparent from its nature. This message is directed to the intended recipient
only, who may be readily determined by the sender of this message and its
contents. If the reader of this message is not the intended recipient, or an
employee or agent responsible for delivering this message to the intended
recipient:(a)any dissemination or copying of this message is strictly
prohibited; and(b)immediately notify the sender by return message and destroy
any copies of this message in any form(electronic, paper or otherwise) that you
have.The delivery of this message and its information is neither intended to be
nor constitutes a disclosure or waiver of any trade secrets, intellectual
property, attorney work product, or attorney-client communications. The
authority of the individual sending this message to legally bind Prodea Systems
is neither apparent nor implied,and must be independently verified.
I was checking Oracle Berkeley site, and I found many versions available to
I will compile Berkeley database on my own, and I would like to know which
version is most recommended to use with OpenLDAP 2.4.x
4.7.25 is the Latest Production Release.
Gustavo Mendes de Carvalho
I am new to LDAP so please bear with me if my question sounds too basic.
I want to make sure if a group already exist in the directory before a
member is allowed to be added.
I guess the API to use would be ldap_search_s (I want to sue synchronous
What kind of filter syntax should I use?
I was trying to compile openldap 2.4.x and I was surprised because this
version _requires_ BDB version 4.4. I am installing it in a Red Hat AS 4 up7
machine and RedHat has only version BDB 4.3 available to download.
Is there any doc on OpenLDAP site regarding upgrading BDB, from 4.2.x to
Is there any problem running openldap 4.4.x using BDB 4.2 ?
Tanhks in advance
Gustavo Mendes de Carvalho
I sent the same question just after my registration but before my validation, so I'm not sure you received it.
I would like to know the name of the attribute for the "txt" record in a DNS zone.
I tried txtrecord, txtrecords, txt, but none of these are correct.
Can you help me ?
Thanks' in advance
Aurélien de BEAUCHESNE
VOIPLine : 04 27 70 90 07
122 Grande rue St Clair
Tel : 04 72 27 49 00
Fax : 04 72 27 02 57
Le paysagiste de l'environnement Internet
P Afin de contribuer au respect de l'environnement, merci de n'imprimer ce mail que si nécessaire
A warm "Hello" from germany to the openldap-technical list!
I´m rather new to OpenLDAP, using version 2.4.12 on a SLES11 server.
I need to write an ACL which allows a user to see his own entry (objectClass
build up on inetOrgPerson) and nothing else.
I know that this isn´t the intended use of the LDAP system, but our manager
wants it that way.
I tried it with somekind of that:
access to dn.regex="uid=([^,]+),dc=justushere,dc=de$" attrs=entry
by dn.regex="uid=$1,ou=Users,dc=justushere,dc=de" write
by users none
but I just get a message about invalid credentials.
Used command was:
ldapsearch -xWD uid=user1,ou=users,dc=justushere,dc=de uid=user1
ldapsearch -xWD cn=admin,dc=justushere,dc=de uid=user1 with the rootdn
account shows the information, but if the uid of the user1 is used for binding
Has anyone an idea how to realize these restrictions?
Additionally not all attributes should get listed to the user, only a few
important for him. My idea was to use a ACL like the above to be sure the user
only gets access to his object and then add a second ACL below who restricts
the access to the important attributes.