openldap-technical September 2009

openldap-technical@openldap.org

70 participants
72 discussions

Search filter for numbers
by Florian Götz 30 Sep '09

30 Sep '09

Hi everbody, I tried to create a dynamic group with dynlist and got a problem with a search filter. I searched the net for a solution, but found nothing that fits. I want to collect all people thet have a common attribute (attributA=X), but only people that have a uid that isn´t a number. We got people with uids similar to their last name (Meier, Müller, Schmidt) and Users that got a number as uid (123456). I tried a filter like: ldap:///ou=users,dc=example,dc=de?uid?sub?(&(attributeA=X)(!(uid=[0-9]*))) but that doesn´t work. A solution like: ldap:///ou=users,dc=example,dc=de?uid?sub?(&(attributeA=X)(!(uid=0*))(! (uid=1*))(!(uid=2*))(!(uid=3*)).....) works, but there must be a more elegant way to do this....right? Best regards, Florian Götz ---------------------------------------------------------------------------------------- Dipl.-Inf. (FH) Florian Götz Rechenzentrum Hochschule Mannheim Paul-Wittsack-Straße 10 68163 Mannheim Tel: 0621/292-6232 EMail: f.goetz(a)hs-mannheim.de Internet: http://www.rz.hs-mannheim.de -----

2 1

Unable to bind to active directory using TLS
by Harish Chakravarthy 29 Sep '09

29 Sep '09

Hello Everyone, Greetings. I am unable to bind to active directory using TLS. I get the following error while executing my script via the browser *PHP Warning: ldap_start_tls() [<a href='function.ldap-start-tls'>function.ldap-start-tls</a>]: Unable to start TLS: Connect error* The same script when executed from the command line works!. I have compiled PHP with flags --with-ldap --with-ldap-sasl --with-openssl . Can you help me further trouble shoot this problem?. Thanks Harish

2 6

slapo-rwm segfault
by Ralf Zimmermann 28 Sep '09

28 Sep '09

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, I have a problem with the slapo-rwm overlay. Here is my config: sizelimit=unlimited ... overlay rwm rwm-rewriteEngine on rwm-rewriteMap LDAP attr2dn "ldaps:///dc=domain,dc=local?dn?sub" rwm-rewriteContext bindDN rwm-rewriteRule "^(uid=(.*)+),(dc=dummy,dc=domain,dc=local)" "${attr2dn($1)}" ":@I" ... When I configure a fixed sizelimit < 9500 all runs fine. With a sizelimit=unlimited slapd crash with a segfault: Sep 28 14:31:44 ldap kernel: slapd[3734]: segfault at 0 ip b79a118a sp a1176d5c error 4 in libc-2.9.so[b792e000+155000] Is there a Problem with slapo-rwm and the number of fetched entries? The problem is replicable under SLES11 openldap 2.4.12 or a self compiled openldap 2.4.18 under Debian squeeze. Greets Ralf Zimmermann - -- .''`. Ralf Zimmermann : :' : Siegnetz.IT http://www.siegnetz.de `. `' Schneppenkauten 1a http://boardfreunde.de `- 57076 Siegen send no mail to garbage(a)siegnetz.de send no mail to garbage(a)boardfreunde.de Tel.: +49 271 68193 13 Fax.: +49 271 68193 29 Amtsgericht Siegen HRB4838 Geschaeftsfuehrer: Oliver Seitz Sitz der Gesellschaft ist Siegen -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkrAr4YACgkQqTAMJBAFqji9vQCfQWngaiz5L509wGwp+ftUcSzI RC4An2vBRqnm5JX/h7h7UmYc7XR0bcfZ =1Fdp -----END PGP SIGNATURE-----

1 0

Re: Unable to bind to active directory using TLS
by Zdenek Styblik 26 Sep '09

26 Sep '09

Harish Chakravarthy wrote: > Hello, > > Thanks for your response. > > "Can you please code I've attached?" - I don't see one in the email. > Secondly, my test script (command line & web) is not looking for ldap.conf. > > -Harish > Morning, I've checked the sent mail and it's there as an attachment. Well, here we go: --- SNIP --- <?php /* * [PHP] Code to test LDAP connection */ define('MYLDAP_HOST', 'ldap://localhost'); define('MYLDAP_PORT', 389); define('MYLDAP_BINDDN', 'cn=LDAPuser,dc=domain,dc=tld'); define('MYLDAP_PSWD', 'myPass'); define('MYLDAP_TLS', true); # buggy - don't use? # !-- some input var checks here --! $ldapConn = ldap_connect(MYLDAP_HOST, MYLDAP_PORT); if (!$ldapConn) { exit("Unable to connect to LDAP server"); } if (!ldap_set_option($ldapConn, LDAP_OPT_PROTOCOL_VERSION, 3)) { exit("Unable to set protocol version to v3"); } # buggy - don't use ? if (MYLDAP_TLS) { ldap_start_tls($ldapConn) or die("Can't start TLS"); } $ldapBind = ldap_bind($ldapConn, MYLDAP_BINDDN, MYLDAP_PSWD); if (!$ldapBind) { exit("LDAP Bind failed"); } echo "OK"; ldap_unbind($ldapConn); # aka ldap_close return 0; ?> --- SNIP --- Zdenek -- Zdenek Styblik Net/Linux admin OS TurnovFree.net email: stybla(a)turnovfree.net jabber: stybla(a)jabber.turnovfree.net > On Sat, Sep 26, 2009 at 12:33 AM, Zdenek Styblik <stybla(a)turnovfree.net > <mailto:stybla@turnovfree.net>> wrote: > > Harish Chakravarthy wrote: >> Here is more information >> 1. I am binding to Active Directory from Solaris 10 >> 2. My php_info gives configure options as './configure' >> '--prefix=/home/local/php-5.2.9' '--with-apxs2=/path/apache2/bin/apxs' >> '--with-ldap' '--with-ldap-sasl' '--with-openssl=/usr/local/ssl' >> '--with-mysql=/usr/local/mysql/' '--with-gd' >> 3. The PATH & LD_LIBRARY_PATH listed via php_info on the browser has >> exactly the same settings as my user account (that executes the script >> from command line) >> 4. I have a ldap.conf file inside /opt/csw/etc/openldap . However this >> file is not being used by the script (command line or web). I > rename the >> file and nothing changes!. >> 5. I have apache compiled for mod_ssl > >> Should I recompile Apache with mod_ldap or any additional modules - I >> using a PHP script on my webserver to gather login & password to >> authenticated against Active Directory?. > >> Thanks again for your time. > >> -Harish > > > > Hello, > > I'm sorry, I should have read better. I replied in haste and- > Can you please code I've attached? It should be sufficient just to > supply credentials. I've tested it and, although I can't make an LDAP > connection from console [I've messed something in PHP; ignore], it works > for me via WEB [I can see 'OK']. I'm not sure why I've put comments > about TLS being buggy [probably something in PHP documentation?], but > the code [PHP] works with LDAP TLS just fine. > > I don't think you need mod_ldap in Apache, as this one should serve for > direct interaction of httpd<-->LDAP [imao]. > > Let me know, > Zdenek >

1 0

Memberof overlay
by Kristian Berg 24 Sep '09

24 Sep '09

Hi I've shifted through the mailinglist archive in search of an answear to how one combines posixAccount with posixGroup for filtering, with the memberof overlay. The only answear I found, was that it wasn't possible. What I've tried was adding: overlay memberof memberof-group-oc posixGroup memberof-member-ad memberUid Which doesn't work. I get the following error message: /etc/openldap2.4/slapd.conf: line 173: member attribute="memberUid" must either have DN (1.3.6.1.4.1.1466.115.121.1.12) or nameUID (1.3.6.1.4.1.1466.115.121.1.34) syntax. According to earlier mailinglist posts, memberUid can't be used with memberof. The other solution that crossed my mind was adding a member-attribute in the posixGroup which is linked with the posixAccount dn, whenever I add a memberUid to the group. Although I haven't tested it yet, as my schema-fu is limited. This seems like the wrong approach though. What I want to do is using a ldap query filter to check if a posixAccount is member of a group with the same name as the server. Ie: retreiving all valid accounts for that particular server with (&(objectClass=posixAccount)(memberof=cn=servername,ou=group,dc=base)). This is with standard ldap on AIX as the client and openldap 2.4.18 as the server. Linux clients and hp-ux clients also connect to this ldap-server though, so the options regarding layout of the tree is limited. So may questions to you, dear internett mailinglist heroes, is: * Is there an easy way to combine posixAccount with posixGroup? * Is the hard way feasiable if not? * Are some of you using some better way of managing logins on aix with a ldap-server shared with operating system logins? -- Kristian Berg

1 0

Limiting finger lookup access on Linux
by Rex Roof 24 Sep '09

24 Sep '09

I have some linux machines that I have configured for student access. We are authenticating against our OpenLDAP tree and limiting which users have access via an LDAP groupOfNames. This is all working perfectly. This is the problem I am having. Any user with access to the system can run the /usr/bin/finger command and do a name search against our entire LDAP tree. I would like to limit the info available via finger to just the users that have access to any particular machine. How can this be controlled? -Rex

8 14

RE: LDAPCon slides
by Morteza Ansari 24 Sep '09

24 Sep '09

It indeed was a great conference, thanks for organizing it. On the embedded directory front, I will be even more impressed once you get your G1 to generate certs ;-) Cheers, Morteza -----Original Message----- From: openldap-technical-bounces+mansari=postpath.com(a)openldap.org [mailto:openldap-technical-bounces+mansari=postpath.com@openldap.org] On Behalf Of Howard Chu Sent: Wednesday, September 23, 2009 12:59 PM To: openldap-technical(a)openldap.org Subject: LDAPCon slides For those of you who weren't able to attend the conference, most of the submitted talks now have their slides/papers online on the web site. http://www.symas.com/ldapcon2009/papers.shtml You missed a lot of great discussions, and a live demo of probably the world's smallest LDAP server installation - OpenLDAP 2.4.18 running on my G1 phone, serving queries from Ludovic Poitou's iPhone address book. OpenLDAP doesn't just scale up to massive multi-processor deployments, it also works well at the smallest of scales. Even the "embedded directory" guys haven't gotten here yet... -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: Advice/comments on deploying openLDAP in a VirtualBox
by Arun Khan 23 Sep '09

23 Sep '09

> Date: Tue, 22 Sep 2009 16:59:30 -0400 > From: Adam Tauno Williams <awilliam(a)opengroupware.us> > Subject: Re: Advice/comments on deploying openLDAP in a VirtualBox > appliance. > To: openldap-technical(a)openldap.org > Message-ID: <1253653170.5317.24.camel@linux-m3mt> > Content-Type: text/plain > > On Wed, 2009-09-23 at 00:23 +0530, Arun Khan wrote: >> I have completed the prototyping of openldap, samba/pdc, on a >> VirtualBox appliance. The setup works fine with 4-5 different >> desktop clients connecting to >> the services. >> Appliance details: VirtualBox 3.0.6 - 512MB RAM, 8MB Video RAM, 9GB >> VDI with 1GB Swap and CentOS 5.3 64bit). >> I am considering deploying this appliance into production with 1GB >> RAM. The no. of clients connecting to the server will be approx. 150. >> Has anyone deployed openLDAP + Samba/PDC in a VirtualBox appliance? > > I don't know anything about Virtual Box but I operate an OpenLDAP + > Samba/PDC for 300+ used on an ESX VM with roughly the allocated > resources you specify [although I have no idea about "Video RAM" or > "VDI"]. I imagine the performance of the underlying host may matter > more than your specific allocations so long as process fit into the > allocated memory. Much thanks for sharing your experience and validating the deployment openLDAP+Samba/PDC in a virtual environment. The VirtualBox VideoRam is applicable only for graphical display and VDI == VirtualDiskImage (it is the file that contains the VM). -- Arun Khan

1 0

bdb checkpoints
by Oliver Henriot 23 Sep '09

23 Sep '09

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear list users, I'm trying to get my DB_CONFIG file sorted out and I'm getting confused. If I follow the documentation available on zytrax.com (http://www.zytrax.com/books/ldap/ch6/bdb.html#db-config), if I have a DB_CONFIG file it should contain a txn_checkpoint directive instead of the checkpoint directive in slapd.conf file which indeed does nothing no matter if I change it or not. But if I put a txn_checkpoint in the DB_CONFIG file I get a "unrecognized name-value pair: txn_checkpoint" error and everything dies miserably. So, as Howard suggests (http://www.openldap.org/lists/openldap-software/200605/msg00091.html), I set off on a quest to read the BerkeleyDB documentation. I'm finding reading it not very useful for several reasons. Firstly txn_checkpoint directive sometimes occurs (http://www.oracle.com/technology/documentation/berkeley-db/db/programmer_re… so at least version 3.1, and up?, should understand txn_checkpoint) and sometimes not (http://www.oracle.com/technology/documentation/berkeley-db/db/api_reference…). Secondly, there is scarce, if any, reference to the versions of BDB concerned in the documentation I have found and now I have spent an awful amount time (well, ten minutes maybe) trying to find out exactly which version of BDB I have I'd like to make some intelligent use of that information if at all possible. Well, I'm lost. The only thing I've found is a gigabyte of bdb logs created when I populate my directory wich are not removed by dbconfig set_flags DB_LOG_AUTOREMOVE, and even more as my directory lives it life (several gigabytes after a week or two). So I'd like to reduce their volume if at all possible rather than having to regularly remove them using slapd_db_archive manually. So, what's the story with BDB transaction checkpoint logs? How can I get this mess sorted out? I'm using Openldap 2.3.43-3.el5 with BDB 4.3.29 on CentOS 5.3. Thanks. Best regards, Oliver -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkq5+hoACgkQSWuBJnHIHdIZxACg1kcPx90oHYn8G/D33HWf+dzE 0OAAnRgckB9Nbre0Z7azx15YFLOMOCR4 =OYos -----END PGP SIGNATURE-----

3 4

LDAPCon slides
by Howard Chu 23 Sep '09

23 Sep '09

For those of you who weren't able to attend the conference, most of the submitted talks now have their slides/papers online on the web site. http://www.symas.com/ldapcon2009/papers.shtml You missed a lot of great discussions, and a live demo of probably the world's smallest LDAP server installation - OpenLDAP 2.4.18 running on my G1 phone, serving queries from Ludovic Poitou's iPhone address book. OpenLDAP doesn't just scale up to massive multi-processor deployments, it also works well at the smallest of scales. Even the "embedded directory" guys haven't gotten here yet... -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical September 2009