Search filter for numbers
by Florian Götz
Hi everbody,
I tried to create a dynamic group with dynlist and got a problem with a search
filter. I searched the net for a solution, but found nothing that fits.
I want to collect all people thet have a common attribute (attributA=X), but
only people that have a uid that isn´t a number.
We got people with uids similar to their last name (Meier, Müller, Schmidt)
and Users that got a number as uid (123456).
I tried a filter like:
ldap:///ou=users,dc=example,dc=de?uid?sub?(&(attributeA=X)(!(uid=[0-9]*)))
but that doesn´t work.
A solution like:
ldap:///ou=users,dc=example,dc=de?uid?sub?(&(attributeA=X)(!(uid=0*))(!
(uid=1*))(!(uid=2*))(!(uid=3*)).....)
works, but there must be a more elegant way to do this....right?
Best regards,
Florian Götz
----------------------------------------------------------------------------------------
Dipl.-Inf. (FH) Florian Götz
Rechenzentrum Hochschule Mannheim
Paul-Wittsack-Straße 10
68163 Mannheim
Tel: 0621/292-6232
EMail: f.goetz(a)hs-mannheim.de
Internet: http://www.rz.hs-mannheim.de
-----
11 years, 11 months
Unable to bind to active directory using TLS
by Harish Chakravarthy
Hello Everyone,
Greetings.
I am unable to bind to active directory using TLS. I get the following error
while executing my script via the browser
*PHP Warning: ldap_start_tls() [<a
href='function.ldap-start-tls'>function.ldap-start-tls</a>]: Unable to start
TLS: Connect error*
The same script when executed from the command line works!.
I have compiled PHP with flags --with-ldap --with-ldap-sasl --with-openssl
.
Can you help me further trouble shoot this problem?.
Thanks
Harish
11 years, 11 months
slapo-rwm segfault
by Ralf Zimmermann
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all,
I have a problem with the slapo-rwm overlay. Here is my config:
sizelimit=unlimited
...
overlay rwm
rwm-rewriteEngine on
rwm-rewriteMap LDAP attr2dn "ldaps:///dc=domain,dc=local?dn?sub"
rwm-rewriteContext bindDN
rwm-rewriteRule "^(uid=(.*)+),(dc=dummy,dc=domain,dc=local)" "${attr2dn($1)}" ":@I"
...
When I configure a fixed sizelimit < 9500 all runs fine. With a
sizelimit=unlimited slapd crash with a segfault:
Sep 28 14:31:44 ldap kernel: slapd[3734]: segfault at 0 ip b79a118a sp a1176d5c error 4 in libc-2.9.so[b792e000+155000]
Is there a Problem with slapo-rwm and the number of fetched entries?
The problem is replicable under SLES11 openldap 2.4.12 or a self
compiled openldap 2.4.18 under Debian squeeze.
Greets
Ralf Zimmermann
- --
.''`. Ralf Zimmermann
: :' : Siegnetz.IT http://www.siegnetz.de
`. `' Schneppenkauten 1a http://boardfreunde.de
`- 57076 Siegen send no mail to garbage(a)siegnetz.de
send no mail to garbage(a)boardfreunde.de
Tel.: +49 271 68193 13
Fax.: +49 271 68193 29
Amtsgericht Siegen HRB4838
Geschaeftsfuehrer: Oliver Seitz
Sitz der Gesellschaft ist Siegen
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkrAr4YACgkQqTAMJBAFqji9vQCfQWngaiz5L509wGwp+ftUcSzI
RC4An2vBRqnm5JX/h7h7UmYc7XR0bcfZ
=1Fdp
-----END PGP SIGNATURE-----
11 years, 11 months
Re: Unable to bind to active directory using TLS
by Zdenek Styblik
Harish Chakravarthy wrote:
> Hello,
>
> Thanks for your response.
>
> "Can you please code I've attached?" - I don't see one in the email.
> Secondly, my test script (command line & web) is not looking for ldap.conf.
>
> -Harish
>
Morning,
I've checked the sent mail and it's there as an attachment.
Well, here we go:
--- SNIP ---
<?php
/*
* [PHP] Code to test LDAP connection
*/
define('MYLDAP_HOST', 'ldap://localhost');
define('MYLDAP_PORT', 389);
define('MYLDAP_BINDDN', 'cn=LDAPuser,dc=domain,dc=tld');
define('MYLDAP_PSWD', 'myPass');
define('MYLDAP_TLS', true); # buggy - don't use?
# !-- some input var checks here --!
$ldapConn = ldap_connect(MYLDAP_HOST, MYLDAP_PORT);
if (!$ldapConn) {
exit("Unable to connect to LDAP server");
}
if (!ldap_set_option($ldapConn, LDAP_OPT_PROTOCOL_VERSION, 3)) {
exit("Unable to set protocol version to v3");
}
# buggy - don't use ?
if (MYLDAP_TLS) {
ldap_start_tls($ldapConn) or die("Can't start TLS");
}
$ldapBind = ldap_bind($ldapConn, MYLDAP_BINDDN, MYLDAP_PSWD);
if (!$ldapBind) {
exit("LDAP Bind failed");
}
echo "OK";
ldap_unbind($ldapConn); # aka ldap_close
return 0;
?>
--- SNIP ---
Zdenek
--
Zdenek Styblik
Net/Linux admin
OS TurnovFree.net
email: stybla(a)turnovfree.net
jabber: stybla(a)jabber.turnovfree.net
> On Sat, Sep 26, 2009 at 12:33 AM, Zdenek Styblik <stybla(a)turnovfree.net
> <mailto:stybla@turnovfree.net>> wrote:
>
> Harish Chakravarthy wrote:
>> Here is more information
>> 1. I am binding to Active Directory from Solaris 10
>> 2. My php_info gives configure options as './configure'
>> '--prefix=/home/local/php-5.2.9' '--with-apxs2=/path/apache2/bin/apxs'
>> '--with-ldap' '--with-ldap-sasl' '--with-openssl=/usr/local/ssl'
>> '--with-mysql=/usr/local/mysql/' '--with-gd'
>> 3. The PATH & LD_LIBRARY_PATH listed via php_info on the browser has
>> exactly the same settings as my user account (that executes the script
>> from command line)
>> 4. I have a ldap.conf file inside /opt/csw/etc/openldap . However this
>> file is not being used by the script (command line or web). I
> rename the
>> file and nothing changes!.
>> 5. I have apache compiled for mod_ssl
>
>> Should I recompile Apache with mod_ldap or any additional modules - I
>> using a PHP script on my webserver to gather login & password to
>> authenticated against Active Directory?.
>
>> Thanks again for your time.
>
>> -Harish
>
>
>
> Hello,
>
> I'm sorry, I should have read better. I replied in haste and-
> Can you please code I've attached? It should be sufficient just to
> supply credentials. I've tested it and, although I can't make an LDAP
> connection from console [I've messed something in PHP; ignore], it works
> for me via WEB [I can see 'OK']. I'm not sure why I've put comments
> about TLS being buggy [probably something in PHP documentation?], but
> the code [PHP] works with LDAP TLS just fine.
>
> I don't think you need mod_ldap in Apache, as this one should serve for
> direct interaction of httpd<-->LDAP [imao].
>
> Let me know,
> Zdenek
>
11 years, 11 months
Memberof overlay
by Kristian Berg
Hi
I've shifted through the mailinglist archive in search of an answear to how
one combines posixAccount with posixGroup for filtering, with the memberof
overlay. The only answear I found, was that it wasn't possible. What I've
tried was adding:
overlay memberof
memberof-group-oc posixGroup
memberof-member-ad memberUid
Which doesn't work. I get the following error message:
/etc/openldap2.4/slapd.conf: line 173: member attribute="memberUid" must
either have DN (1.3.6.1.4.1.1466.115.121.1.12) or nameUID
(1.3.6.1.4.1.1466.115.121.1.34) syntax.
According to earlier mailinglist posts, memberUid can't be used with
memberof. The other solution that crossed my mind was adding a
member-attribute in the posixGroup which is linked with the posixAccount
dn, whenever I add a memberUid to the group. Although I haven't tested it
yet, as my schema-fu is limited.
This seems like the wrong approach though. What I want to do is using a
ldap query filter to check if a posixAccount is member of a group with the
same name as the server. Ie: retreiving all valid accounts for that
particular server with
(&(objectClass=posixAccount)(memberof=cn=servername,ou=group,dc=base)).
This is with standard ldap on AIX as the client and openldap 2.4.18 as the
server. Linux clients and hp-ux clients also connect to this ldap-server
though, so the options regarding layout of the tree is limited.
So may questions to you, dear internett mailinglist heroes, is:
* Is there an easy way to combine posixAccount with posixGroup?
* Is the hard way feasiable if not?
* Are some of you using some better way of managing logins on aix with a
ldap-server shared with operating system logins?
--
Kristian Berg
11 years, 11 months
Limiting finger lookup access on Linux
by Rex Roof
I have some linux machines that I have configured for student access.
We are authenticating against our OpenLDAP tree and limiting which
users have access via an LDAP groupOfNames. This is all working
perfectly.
This is the problem I am having. Any user with access to the system
can run the /usr/bin/finger command and do a name search against our
entire LDAP tree. I would like to limit the info available via
finger to just the users that have access to any particular machine.
How can this be controlled?
-Rex
11 years, 11 months
RE: LDAPCon slides
by Morteza Ansari
It indeed was a great conference, thanks for organizing it.
On the embedded directory front, I will be even more impressed once you get your G1 to generate certs ;-)
Cheers,
Morteza
-----Original Message-----
From: openldap-technical-bounces+mansari=postpath.com(a)openldap.org [mailto:openldap-technical-bounces+mansari=postpath.com@openldap.org] On Behalf Of Howard Chu
Sent: Wednesday, September 23, 2009 12:59 PM
To: openldap-technical(a)openldap.org
Subject: LDAPCon slides
For those of you who weren't able to attend the conference, most of the
submitted talks now have their slides/papers online on the web site.
http://www.symas.com/ldapcon2009/papers.shtml
You missed a lot of great discussions, and a live demo of probably the world's
smallest LDAP server installation - OpenLDAP 2.4.18 running on my G1 phone,
serving queries from Ludovic Poitou's iPhone address book. OpenLDAP doesn't
just scale up to massive multi-processor deployments, it also works well at
the smallest of scales. Even the "embedded directory" guys haven't gotten here
yet...
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
11 years, 11 months
Re: Advice/comments on deploying openLDAP in a VirtualBox
by Arun Khan
> Date: Tue, 22 Sep 2009 16:59:30 -0400
> From: Adam Tauno Williams <awilliam(a)opengroupware.us>
> Subject: Re: Advice/comments on deploying openLDAP in a VirtualBox
> appliance.
> To: openldap-technical(a)openldap.org
> Message-ID: <1253653170.5317.24.camel@linux-m3mt>
> Content-Type: text/plain
>
> On Wed, 2009-09-23 at 00:23 +0530, Arun Khan wrote:
>> I have completed the prototyping of openldap, samba/pdc, on a
>> VirtualBox appliance. The setup works fine with 4-5 different
>> desktop clients connecting to
>> the services.
>> Appliance details: VirtualBox 3.0.6 - 512MB RAM, 8MB Video RAM, 9GB
>> VDI with 1GB Swap and CentOS 5.3 64bit).
>> I am considering deploying this appliance into production with 1GB
>> RAM. The no. of clients connecting to the server will be approx. 150.
>> Has anyone deployed openLDAP + Samba/PDC in a VirtualBox appliance?
>
> I don't know anything about Virtual Box but I operate an OpenLDAP +
> Samba/PDC for 300+ used on an ESX VM with roughly the allocated
> resources you specify [although I have no idea about "Video RAM" or
> "VDI"]. I imagine the performance of the underlying host may matter
> more than your specific allocations so long as process fit into the
> allocated memory.
Much thanks for sharing your experience and validating the deployment
openLDAP+Samba/PDC in a virtual environment.
The VirtualBox VideoRam is applicable only for graphical display and
VDI == VirtualDiskImage (it is the file that contains the VM).
-- Arun Khan
11 years, 11 months
bdb checkpoints
by Oliver Henriot
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dear list users,
I'm trying to get my DB_CONFIG file sorted out and I'm getting confused.
If I follow the documentation available on zytrax.com
(http://www.zytrax.com/books/ldap/ch6/bdb.html#db-config), if I have a
DB_CONFIG file it should contain a txn_checkpoint directive instead of
the checkpoint directive in slapd.conf file which indeed does nothing no
matter if I change it or not. But if I put a txn_checkpoint in the
DB_CONFIG file I get a "unrecognized name-value pair: txn_checkpoint"
error and everything dies miserably.
So, as Howard suggests
(http://www.openldap.org/lists/openldap-software/200605/msg00091.html),
I set off on a quest to read the BerkeleyDB documentation. I'm finding
reading it not very useful for several reasons. Firstly txn_checkpoint
directive sometimes occurs
(http://www.oracle.com/technology/documentation/berkeley-db/db/programmer_...
so at least version 3.1, and up?, should understand txn_checkpoint) and
sometimes not
(http://www.oracle.com/technology/documentation/berkeley-db/db/api_referen...).
Secondly, there is scarce, if any, reference to the versions of BDB
concerned in the documentation I have found and now I have spent an
awful amount time (well, ten minutes maybe) trying to find out exactly
which version of BDB I have I'd like to make some intelligent use of
that information if at all possible.
Well, I'm lost. The only thing I've found is a gigabyte of bdb logs
created when I populate my directory wich are not removed by dbconfig
set_flags DB_LOG_AUTOREMOVE, and even more as my directory lives it life
(several gigabytes after a week or two). So I'd like to reduce their
volume if at all possible rather than having to regularly remove them
using slapd_db_archive manually.
So, what's the story with BDB transaction checkpoint logs? How can I get
this mess sorted out?
I'm using Openldap 2.3.43-3.el5 with BDB 4.3.29 on CentOS 5.3.
Thanks.
Best regards,
Oliver
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkq5+hoACgkQSWuBJnHIHdIZxACg1kcPx90oHYn8G/D33HWf+dzE
0OAAnRgckB9Nbre0Z7azx15YFLOMOCR4
=OYos
-----END PGP SIGNATURE-----
11 years, 11 months
LDAPCon slides
by Howard Chu
For those of you who weren't able to attend the conference, most of the
submitted talks now have their slides/papers online on the web site.
http://www.symas.com/ldapcon2009/papers.shtml
You missed a lot of great discussions, and a live demo of probably the world's
smallest LDAP server installation - OpenLDAP 2.4.18 running on my G1 phone,
serving queries from Ludovic Poitou's iPhone address book. OpenLDAP doesn't
just scale up to massive multi-processor deployments, it also works well at
the smallest of scales. Even the "embedded directory" guys haven't gotten here
yet...
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
11 years, 11 months
