openldap-technical June 2009

openldap-technical@openldap.org

87 participants
100 discussions

Re: hardware requirement
by Quanah Gibson-Mount 11 Jun '09

11 Jun '09

--On Thursday, June 11, 2009 9:19 PM +0530 mukim pathan <mukim.iitkgp(a)gmail.com> wrote: > I will be using latest openldap release with Berkley database. If 32 bit > is not capable of it then please tell me the resource requirement for 64 > bit. Keep replies on the list if you want answers. The technical limitations of 32-bit OSes are well documented. Since I have no idea how large your database is when fully loaded, I can not say for certain that you'll hit (or have hit) those limits, but I find it *highly* likely. In any case, in this day and age, there is really no excuse to be running 32-bit OSes. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

hardware requirement
by mukim pathan 11 Jun '09

11 Jun '09

Hi, I have to setup a database for storing 100million entries, each entry with 4 columns. I will be using centOS linux OS for this. I checked previous queries regarding hardware, I found that with 32 bit machine, processing might get slow for 20million above records. I want to ask what should be the hardware configuration for this? Thank you in advance. Regards, Mukim Pathan

2 1

some thoughts about RDN
by Paweł Madej 11 Jun '09

11 Jun '09

Hello, I have such RDN cn=user1,dc=example,dc=com but my webmail software knows users only by emails (which is attribute to cn=user1,dc=example,dc=com) My question is how can i authenticate in LDAP using provided email? I tried sth like mail=test(a)example.com,dc=example,dc=com but ldap refuses such login. Thanks in advance for help Greets Pawel

4 9

Howto synchronization the username and password between windows AD and OpenLDAP server?
by openbsd shen 11 Jun '09

11 Jun '09

I hve Windows AD server and OpenLDAP server, may I synchronization username and passport between them?

1 0

solaris patch vs. linux patch
by Brett ＠Google 11 Jun '09

11 Jun '09

Hello, Just wondering if anybody knows why solaris patch refuses to process the bdb 4.7 patch files, where the patch command on linux works perfectly. Ie: on solaris : patch -p0 <patch.4.7.25.1 Looks like a context diff to me... Hunk #1 failed at line 187. Hunk #3 failed at line 296. 2 out of 4 hunks failed: saving rejects to sequence/sequence.c.rej done Works fine on a linux machine ? Have tried patch 2.5.9 built from soruce on gnu.org, this fails also. (i usually end up patching on linux, and then copying the patched tarball back to solaris.. but just wondering?) Cheers Brett

4 6

password change and ppolicy
by tizo 11 Jun '09

11 Jun '09

Hi there, We are using OpenLDAP 2.4.16 with ppolicy, to authenticate users for a JEE application. Authentication works great (with JNDI), and we are receiving ppolicy response controls without problem. In that way, the user knows when the password is about to expired, when the password have been reseted, etc. Now we want to offer users to change passwords from the application. Before starting this, I have been testing password changing with phpLDAPAdmin. The fact is that I could only change a user password with clear text. I guess that this behaviour happens because we have pwdCheckQulity setting in 2 in our default password policy. So, when the client (phpLDAPAdmin) tries to modify the password enconding it, the server (OpenLDAP) cannot check the min length of the password, as it is encoded, and then fails. I am guessing too, that phpLDAPAdmin is performing a simple modify operation to change the password, as it is stored in clear text. On the other hand, I could change passwords with ldappasswd withouth problem, and they are stored with SSHA. I know that this command uses RFC 3062. So, I am wondering which is the best way to change the password from a Java application. I guess that, if I have pwdCheckQulity setting in 2, the password should travel in clear text, so that ppolicy can check its min lenght for example. But I would like it to be stored encoded. How could I do that?. Do I have to use RFC 3062?. Do you know any Java implementation of the client side for that RFC?. Thanks very much, tizo

2 2

problem in my mirrormode
by Wissem BARAKET 10 Jun '09

10 Jun '09

Hello : i would like install a mirrormode in my ldap but i don t can make fonction : my OS debian lenny and mu open ldap 2.4.16 can you help me this my config in my first server : # This is the main slapd configuration file. See slapd.conf(5) for more # info on the configuration options. ####################################################################### # Global Directives: serverID 1 # Features to permit allow bind_v2 # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema TLSCertificateFile /etc/ldap/tls/ldap_bdc_cert.pem TLSCertificateKeyFile /etc/ldap/tls/ldap_bdc_key.pem # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile /var/run/slapd/slapd.args # Read slapd.conf(5) for possible values loglevel sync # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_bdb #moduleload syncprov # The maximum number of entries that is returned for a search operation sizelimit 500 # The tool-threads parameter sets the actual amount of cpu's that is used # for indexing. tool-threads 1 ####################################################################### # Specific Backend Directives for bdb: # Backend specific directives apply to this backend until another # 'backend' directive occurs backend bdb ####################################################################### # Specific Backend Directives for 'other': # Backend specific directives apply to this backend until another # 'backend' directive occurs #backend <other> ####################################################################### # Specific Directives for database #1, of type bdb: # Database specific directives apply to this databasse until another # 'database' directive occurs database bdb # The base of your directory in database #1 suffix "dc=xxx,dc=com" # rootdn directive for specifying a superuser on the database. This is needed # for syncrepl. # rootdn "cn=admin,dc=xxx,dc=com" # Where the database file are physically stored for database #1 directory "/var/lib/ldap" # The dbconfig settings are used to generate a DB_CONFIG file the first # time slapd starts. They do NOT override existing an existing DB_CONFIG # file. You should therefore change these settings in DB_CONFIG directly # or remove DB_CONFIG and restart slapd for changes to take effect. # For the Debian package we use 2MB as default but be sure to update this # value if you have plenty of RAM dbconfig set_cachesize 0 2097152 0 # Sven Hartge reported that he had to set this value incredibly high # to get slapd running at all. See http://bugs.debian.org/303057 for more # information. # Number of objects that can be locked at the same time. dbconfig set_lk_max_objects 1500 # Number of locks (both requested and granted) dbconfig set_lk_max_locks 1500 # Number of lockers dbconfig set_lk_max_lockers 1500 # Indexing options for database #1 index objectClass eq # Save the time that the entry gets modified, for database #1 lastmod on # Checkpoint the BerkeleyDB database periodically in case of system # failure and to speed slapd shutdown. checkpoint 512 30 # Where to store the replica logs for database #1 # replogfile /var/lib/ldap/replog # The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below # These access lines apply to database #1 only access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=xxx,dc=com" write by dn="uid=mirrormode,ou=Users,dc=xxx,dc=com" write by anonymous auth by self write by * none # Ensure read access to the base for things like # supportedSASLMechanisms. Without this you may # have problems with SASL not knowing what # mechanisms are available and the like. # Note that this is covered by the 'access to *' # ACL below too but if you change that as people # are wont to do you'll still need this if you # want SASL (and possible other things) to work # happily. access to dn.base="" by * read access to dn.base="cn=Subschema" by * read # The admin dn has full write access, everyone else # can read everything. access to * by dn="cn=admin,dc=xxx,dc=com" write by dn="uid=mirrormode,dc=xxx,dc=com" read by * read # For Netscape Roaming support, each user gets a roaming # profile for which they have write access to #access to dn=".*,ou=Roaming,o=morsnet" # by dn="cn=admin,dc=xxx,dc=com" write # by dnattr=owner write ####################################################################### # Specific Directives for database #2, of type 'other' (can be bdb too): # Database specific directives apply to this databasse until another # 'database' directive occurs #database <other> # The base of your directory for database #2 #suffix "dc=debian,dc=org" rootdn "cn=admin,dc=xxx,dc=com" moduleload syncprov index entryCSN,entryUUID eq lastmod on overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 syncprov-nopresent TRUE syncprov-reloadhint TRUE syncrepl rid=001 provider=ldaps://debian.xxx.com:636 type=refreshAndPersist credentials=mirrormode searchbase="dc=xxx,dc=com" filter="(objectClass=*)" scope=sub schemachecking=on bindmethod=simple binddn="uid=mirrormode,ou=Users,dc=xxx,dc=com" binddn="cn=syncrepl,dc=xxx,dc=com" credentials=yyy syncrepl rid=002 provider=ldaps://debian1.xxx.com:636 type=refreshAndPersist credentials=mirrormode searchbase="dc=luniweb,dc=com" filter="(objectClass=*)" scope=sub schemachecking=on bindmethod=simple binddn="uid=mirrormode,ou=Users,dc=xxx,dc=com"binddn="cn=syncrepl,dc=xxx,dc=com" credentials=yyy mirrormode on the second server : # This is the main slapd configuration file. See slapd.conf(5) for more # info on the configuration options. ####################################################################### # Global Directives: serverID 1 # Features to permit allow bind_v2 # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema TLSCertificateFile /etc/ldap/tls/ldap_pdc_cert.pem TLSCertificateKeyFile /etc/ldap/tls/ldap_pdc_key.pem # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile /var/run/slapd/slapd.args # Read slapd.conf(5) for possible values loglevel sync # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_bdb moduleload syncprov # The maximum number of entries that is returned for a search operation sizelimit 500 # The tool-threads parameter sets the actual amount of cpu's that is used # for indexing. tool-threads 1 ####################################################################### # Specific Backend Directives for bdb: # Backend specific directives apply to this backend until another # 'backend' directive occurs backend bdb ####################################################################### # Specific Backend Directives for 'other': # Backend specific directives apply to this backend until another # 'backend' directive occurs #backend <other> ####################################################################### # Specific Directives for database #1, of type bdb: # Database specific directives apply to this databasse until another # 'database' directive occurs database bdb # The base of your directory in database #1 suffix "dc=xxx,dc=com" # rootdn directive for specifying a superuser on the database. This is needed # for syncrepl. # rootdn "cn=admin,dc=xxx,dc=com" # Where the database file are physically stored for database #1 directory "/var/lib/ldap" # The dbconfig settings are used to generate a DB_CONFIG file the first # time slapd starts. They do NOT override existing an existing DB_CONFIG # file. You should therefore change these settings in DB_CONFIG directly # or remove DB_CONFIG and restart slapd for changes to take effect. # For the Debian package we use 2MB as default but be sure to update this # value if you have plenty of RAM dbconfig set_cachesize 0 2097152 0 # Sven Hartge reported that he had to set this value incredibly high # to get slapd running at all. See http://bugs.debian.org/303057 for more # information. # Number of objects that can be locked at the same time. dbconfig set_lk_max_objects 1500 # Number of locks (both requested and granted) dbconfig set_lk_max_locks 1500 # Number of lockers dbconfig set_lk_max_lockers 1500 # Indexing options for database #1 index objectClass eq # Save the time that the entry gets modified, for database #1 lastmod on # Checkpoint the BerkeleyDB database periodically in case of system # failure and to speed slapd shutdown. checkpoint 512 30 # Where to store the replica logs for database #1 # replogfile /var/lib/ldap/replog # The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below # These access lines apply to database #1 only access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=xxx,dc=com" write by dn="uid=mirrormode,ou=Users,dc=xxx,dc=com" write by anonymous auth by self write by * none # Ensure read access to the base for things like # supportedSASLMechanisms. Without this you may # have problems with SASL not knowing what # mechanisms are available and the like. # Note that this is covered by the 'access to *' # ACL below too but if you change that as people # are wont to do you'll still need this if you # want SASL (and possible other things) to work # happily. access to dn.base="" by * read #access to dn.base="cn=Subschema"by * read # The admin dn has full write access, everyone else # can read everything. access to * by dn="cn=admin,dc=xxx,dc=com" write by dn="uid=mirrormode,dc=xxx,dc=com" read by * read #defaultsearchbase dc=xxx,dc=com #sasl_host localhost #sasl_secprops none password-hash {MD5} # For Netscape Roaming support, each user gets a roaming # profile for which they have write access to #access to dn=".*,ou=Roaming,o=morsnet" # by dn="cn=admin,dc=xxx,dc=com" write # by dnattr=owner write ####################################################################### # Specific Directives for database #2, of type 'other' (can be bdb too): # Database specific directives apply to this databasse until another # 'database' directive occurs #database <other> # The base of your directory for database #2 #suffix "dc=debian,dc=org" rootdn "cn=admin,dc=xxx,dc=com" index entryCSN,entryUUID eq lastmod on overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 syncprov-nopresent TRUE syncprov-reloadhint TRUE syncrepl rid=002 provider=ldaps://debian1.xxx.com:636 type=refreshAndPersistcredentials=mirrormode searchbase="dc=xxx,dc=com" filter="(objectClass=*)" scope=sub schemachecking=on bindmethod=simple binddn="uid=mirrormode,ou=Users,dc=xxx,dc=com"binddn="cn=syncrepl,dc=xxx,dc=com" credentials=yyy syncrepl rid=001 provider=ldaps://debian.xxx.com:636 type=refreshAndPersist credentials=mirrormode searchbase="dc=xxx,dc=com" filter="(obj#ectClass=*)" scope=sub schemachecking=on bindmethod=simple binddn="uid=mirrormode,ou=Users,dc=xxx,dc=com" binddn="cn=syncrepl,dc=xxx,dc=com" credentials=yyy mirrormode on thanks

2 1

Re: UCARP setup
by Ivan Ordonez 10 Jun '09

10 Jun '09

Matt Kassawara wrote: > I don't see why not... you'll just need to configure it to use the > hostname/IP pointing to the active server. > > On Jun 9, 2009, at 4:39 PM, Ivan Ordonez wrote: > >> >> >> Matt Kassawara wrote: >>> >>> I'd recommend looking at mirror mode. >>> http://www.openldap.org/doc/admin24/replication.html >>> >>> On Tue, Jun 9, 2009 at 2:40 PM, Ivan Ordonez >>> <iordonez(a)nature.berkeley.edu> wrote: >>> Hi, >>> >>> Has anyone here have any experience using UCARP with openldap? >>> >>> http://www.ucarp.org/project/ucarp >>> >>> Our department want to use UCARP to provide automatic failover but >>> I'm at lost on how to make two machines replicate openldap data. If >>> you have a better suggestion, or ideas on how to make it work, >>> please let me know. >>> >>> Thanks in advance. >>> >>> -Ivan >>> >> >> Can you do a mirror mode and at the same time, have a consumer, for >> example, a BDC sitting on a different subnet? I'll give it a shot. Thanks for all the help. -Ivan

1 0

Error while using relay
by venish khant 10 Jun '09

10 Jun '09

Hi all, I am trying to access LDAP search using email address instead of DN. For that I am using overlay rwm, and relay. When I gave relay "dc=example,dc=com", slapd give me error like(unknown directive <relay> inside backend database definition). I all ready enabled modules for relay(back_relay.so) and rwm(rwm.so). openLDAP => 2.4.15 Backend => bdb (Berkeley Database) Regards -- Venish Khant www.deeproot.co.in

5 11

CRL question
by joakim＠comex.se 10 Jun '09

10 Jun '09

Hi, I'm using Openldap with TLS and CRL. My slapd.conf file has the line "TLSCRLCheck all". When the CRL has expired the client is not allowed to make a TLS connection. My question is whether it is possible to configure openldap to let the client connect to the server (possibly with a warning) even when the CRL has expired. Does anyone know if that is possible? /Jocke ########################################### This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange. For more information, connect to http://www.f-secure.com/

2 3

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical June 2009