Re: backend issue
by Quanah Gibson-Mount
--On Monday, December 13, 2010 7:51 PM -0200 Friedrich Locke
<friedrich.locke(a)gmail.com> wrote:
> Excuse me Mr. Quanah,
>
> but where do you download BDB 4.4.x from ?
If you want help, keep your replies to the list.
--Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
10 years, 3 months
push replication with proxy and rwm overlay
by Gwenn Gueguen
Hi all,
I'm trying to set up push replication from master to slave through a
proxy with rwm overlay. Master, proxy and slave are OpenLDAP 2.4.11
from debian lenny.
On the slave, I don't want samba related attributes so I used the
attrs param on syncrepl to only get attributes I want but entries
still have sambaSamAccount or sambaGroupMapping as objectClass.
I tried using the rwm overlay to remove these references to samba in
objectclass but it did not work and I still get the following error
when proxy tries to add the entries on the slave:
error code 0x15: objectClass: value #3 invalid per syntax
Here is the proxy configuration:
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
include /etc/ldap/schema/authldap.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel -1
modulepath /usr/lib/ldap
moduleload back_ldap
moduleload syncprov
moduleload rwm
database ldap
suffix "..."
rootdn "cn=admin,..."
uri ldap://ldap-dmz
# Save the time that the entry gets modified, for database #1
lastmod on
#We don't need any access to this DSA
restrict all
overlay rwm
rwm-map objectclass inetOrgPerson *
rwm-map objectclass posixAccount *
rwm-map objectclass shadowAccount *
rwm-map objectclass organizationalPerson *
rwm-map objectclass person *
rwm-map objectclass posixGroup *
# rwm-map objectclass sambaSamAccount
# rwm-map objectclass sambaGroupMapping
rwm-map objectclass *
acl-bind bindmethod=simple
idassert-bind
bindmethod=simple
binddn="cn=admin,..."
credentials="secret"
syncrepl rid=001
provider=ldap://ldap
attrs="@inetOrgPerson,@posixAccount,@shadowAccount,@organizationalPerson,@person"
bindmethod=simple
searchbase="ou=people,..."
type=refreshAndPersist
retry="60 +"
interval=00:00:01:00
schemachecking=off
syncrepl rid=002
provider=ldap://ldap
attrs="@posixGroup"
bindmethod=simple
searchbase="ou=groups,..."
type=refreshAndPersist
retry="60 +"
interval=00:00:01:00
schemachecking=off
overlay syncprov
I tried upgrading OpenLdap on the proxy to 2.4.17 from backports and
also upgraded to squeeze with OpenLdap 2.4.23 but I still get the
error.
Am I doing something wrong or is rwm buggy ?
Thanks,
--
Gwenn
10 years, 3 months
Ordering of shadowExpire values
by Antonio Batovanja
From nis.schema:
attributetype ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
If I add
ORDERING integerOrderingMatch
to shadowExpire, I can use a range filter like
(&(objectclass=shadowaccount)(shadowexpire>=1000))
What else can I do to be able to use a range filter? I don't like changing
standard schemas...
Cheers,
Toni
10 years, 3 months
debugging memberOf overlay
by c0re
Hello all!
Trying to get memberOf overlay working.
Added to slapd.conf "overlay memberof"
Restarted slapd.
Checked that overlay loaded
# slaptest -d 1
.............
config_build_entry: "olcOverlay={1}memberof"
.............
Then added 1 user and 2 groups via ldif:
dn: cn=test,ou=users,dc=domain,dc=local
sn: test
cn: test
uid: test
objectClass: inetOrgPerson
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: radiusprofile
uidNumber: 5555
gidNumber: 5555
homeDirectory: /home/test
givenName: test
loginShell: /bin/sh
shadowMin: 0
shadowMax: 999
shadowWarning: 7
shadowInactive: -1
shadowExpire: 0
shadowFlag: 0
dialupAccess: yes
dn: cn=testgroup,ou=servers,dc=domain,dc=local
objectclass: groupOfNames
cn: testgroup
member: cn=test,ou=users,dc=domain,dc=local
dn: cn=maingroup,ou=servers,dc=domain,dc=local
objectclass: groupOfNames
cn: maingroup
member: cn=testgroup,ou=servers,dc=domain,dc=local
And made
# ldapsearch -x -D "cn=admin,dc=domain,dc=local" -b
"dc=domain,dc=local" -W "(cn=test)" memberOf
# extended LDIF
#
# LDAPv3
# base <dc=domain,dc=local> with scope subtree
# filter: (cn=test)
# requesting: memberOf
#
# test, users, domain.local
dn: cn=test,ou=users,dc=domain,dc=local
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
As you see - no memberOf in users attrs.
I got no ideas why...
By that I wanted to test output of ldapsearch to check will there be
two or one memberOf attrs.
Thanks!
10 years, 3 months
Oddities with searching for a specific value of an attribute
by Sebastian Urbanneck
Sorry for this weird topic, but I didn't know how to name this one.
These are the facts: we're using the phamm.schema from the PHAMM Project
for saving virtual domain entries in our Ldap database. Searching for
them is mostly no pronblem, but one specific circumstance is bothering
me to death: when I try to search for a specific value of the attribute
"vd", the corresponding entry is not always found. Any other attribute
does the trick, but vd does'nt.
For example: the search for (using the root_dn)
ldapsearch -x -W -D "cn=admin,dc=uebergebuehr,dc=de" -b
"ou=domains,dc=uebergebuehr,dc=de" "(vd=*) -s"one"
produces following output:
---------output-------------
# extended LDIF
#
# LDAPv3
# base <vd=lak-hessen.de,ou=domains,dc=uebergebuehr,dc=de> with scope
baseObject
# filter: (vd=*)
# requesting: ALL
#
# lak-hessen.de, domains, uebergebuehr.de
dn: vd=lak-hessen.de,ou=domains,dc=uebergebuehr,dc=de
vd: lak-hessen.de
lastChange: 1291723263
maxMail: 100
maxAlias: 100
maxQuota: 100
accountActive: TRUE
editAV: TRUE
delete: FALSE
postfixTransport: dovecot
objectClass: top
objectClass: VirtualDomain
description: lak-hessen.de
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
-------------------------------------
This is true for everytime I put a Wildcard (*) into the search pattern,
and with scope "sub" there's also no matter in which part of the tree
above this entry I am. But when I'm searching specificly for the value
(lak-hessen.de) nothin is found, no matter in which entry I am and which
scope use.
Strangely this pattern _is_ found when you go into the entry of the
domain itself (vd=lak-hessen.de,ou=domains,...) and search with scobe
'base'.
Any idea what I'm doing wrong? Or is this a bug? I think ACLs are ruled
out because of using the root_dn.
I didn't want to file a Bug before being reallly sure that this is one
regards
Sebastian
10 years, 3 months
slapcat, PROXIED attributeDescription inserted, and cron jobs
by btb@bitrate.net
hi-
i'm running slapcat from a daily cron job to back up cn=config and other
databases. i've recently updated from 2.4.21 to 2.4.23, and notice now
in the output of slapcat, messages such as
>slapcat -b 'cn=config' -l 'config.ldif' > /dev/null
PROXIED attributeDescription "OU" inserted.
PROXIED attributeDescription "DC" inserted.
a bit of searching seems to indicate that these shouldn't be cause for
concern, and are just informative messages.
since these messages are written to stderr, cron sends email every time
it runs slapcat. if they're not errors, do they maybe belong in stdout
rather than stderr? alternatively, can these messages be suppressed?
according to the man page, there doesn't appear a way to do so.
thanks
-ben
10 years, 4 months
x500UniqueIdentifier
by Juan Gonzalez
Hi, I'm trying to insert userCertificate values containing
x500UniqueIdentifiers. When the value appears at the SubjectNames, it
inserts correctly.
By this I assume there is a validation for the field formatting.
When I have a x500UniqueIdentifier at the IssuerNames it fails to
insert.
Is there a specific place where valid attributes and syntaxes for
IssuerNames should be declared?
Thanks
Jgcardoso.
10 years, 4 months
slapd 2.4.23 SASL/GSSAPI problem
by Matej Zagiba
Hello everybody,
I'm running debian squeeze (testing) with openldap 2.4.23 and MIT kerberos 1.8.3 KDC.
I had functinal SASL/GSSAPI authentication configured, but recently it stopped working.
I cannot be realy sure, but I suspect upgrade from openldap 2.4.22 is the cause.
In logs I see lots of this:
SASL [conn=1003] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Configuration file does not specify default realm)
I added sasl-realm option but it did not helped. All other kerberos applications works without problem.
Is there any (new) SASL option I missed? Or it's a bug in 2.4.23?
Thanks for any help.
Matej Zagiba
10 years, 4 months