Syncrepl in OpenLDAP-2.4.20
by Ralf Zimmermann
Hi all,
today I have made tests with Version 2.4.21 and my 2.4.20 configuration. When I
start slapd I get following error message:
config error processing olcDatabase={1}hdb,cn=config: <olcSyncrepl> invalid URL
olcSyncrepl: value #0: <olcSyncrepl> invalid URL
In the slapd.conf is a syncrepl section. If I add a 'uri=ldap://<server>' to
the syncrepl directive and I create a online configuration with 'slaptest -f
/etc/openldap/slapd.conf -F /etc/openldap/slapd.d' the olc ldif file contains a
uri with 'uri=ldap://<server>'. If I didn't define uri in slapd.conf syncrepl
directive the uri in the olc ldif file was empty and slapd is not starting.
I have take a look to the CHANGES and the man pages, but I didn't found
anything about the uri parameter in the syncrepl section. Why is this parameter
not documented or where is my problem?
regards
Ralf Zimmermann
--
.''`. Ralf Zimmermann
: :' : SIEGNETZ.IT GmbH
`. `' Schneppenkauten 1a
`- 57076 Siegen
Tel.: +49 271 68193 13
Fax.: +49 271 68193 29
Amtsgericht Siegen HRB4838
Geschaeftsfuehrer: Oliver Seitz
Sitz der Gesellschaft ist Siegen
13 years, 7 months
objectclass not found inetorgperson?
by Ray Carrender
I keep getting a ldap_add: Invalid syntax (21)
additional info: objectclass: value #0 invalid
per syntax
(ldif)
dn: cn=Charlton Heston,ou=people,dc=afranius,dc=com
cn: Charlton
sn: Heston
mail: heston(a)actor.com
telephoneNumber:508-555-1212
objectclass: inetOrgPerson
slapd.conf's
include /usr/local/etc/oplenldap/schema/core.schema
include /usr/local/etc/oplenldap/schema/cosine.schema
include /usr/local/etc/oplenldap/schema/inetorgperson.schema
it successfully added the two objects prior to this, do you guys have any
ideas what might be going on?
Thanks!
*Ray*
13 years, 7 months
idea for access rules #2
by Stefan Palme
Hi again,
Have a subtree like this:
ou=users
cn=me
ou=data
ou=data1
cn=fact1
cn=fact2, owner=cn=me,ou=users
ou=data2
cn=fact3
cn=fact4
So this time, some child elements of a dataX-subtree are "owned" by
certain users. What I want: when a user (cn=me) traverses the LDAP
tree, (s)he should only see the dataX-subtrees with at least one
child owned by this user. For the example above, the user cn=me
should get read access to "ou=data1" and to "cn=fact2,ou=data1",
but he should NOT get read access to ou=data2 and its children.
Specifying the access to the "cn=factX" entries is already solved,
now the only problem is to deny access to some of the "ou=dataX"
subtrees:
My current idea is something like this:
access
to dn.regex="(ou=[^,]+,ou=data)"
by set.expand="([ldap://127.0.0.1?base=$1?scope=sub]/owner) & user"
which should find all entries in a dataX subtree, collect their owners
and "compare" them with the current user.
But this does not look "nice" to me because of the additional required
LDAP search. Is there a more straightforward solution for this?
If not: is this search operation really EXECUTED? Which bind DN is used
to execute the search? The "current" one? I guess, to find the search
results for the LDAP query all access rules for the current user apply?
Thanks and regards
-stefan-
13 years, 7 months
idea for access rules
by Stefan Palme
Hi all,
maybe this is not the right list for this question, in this case
I apologize for this post..
I have no idea to define access rules for the following case. Have
an LDAP tree like this:
ou=users
cn=me
ou=data
ou=data1, owner=cn=me,ou=users
cn=fact1
cn=fact2
ou=data2, owner=cn=somebodyelse,ou=users
cn=fact3
cn=fact4
(one line represents one LDAP entry with some of its attributes,
the level of indentation represents the tree structure)
The point is the subtree starting at "ou=data1". The root node of this
subtree (ou=data1) has an attribute "owner" with a DN of a user account
which can be used to bind to the LDAP server (cn=me,ou=users).
Now I want to define, that this specific user has write access to
some attributes of cn=fact1,ou=data1 and cn=fact2,ou=data2 etc...
I am searching for a rule like this:
access
to "cn=[^,]+,ou=data1,ou=data" attrs="attr1,attr2,attr3"
by dnattr="owner of node ou=data1,ou=data" write
Obviously, this dnattr syntax is not valid, but I guess you see
what I want. Any ideas how to realize this?
Thanks for any hints
Regards
-stefan-
13 years, 7 months
attributes order
by Mihamina Rakotomandimby
Manao ahoana, Hello, Bonjour,
Hi all
I have 3 custom attributes:
- actionDate
- commentContent
- commentId
I populated my OpenLDAP with a shell script and "ldapadd", and when
searching with "ldapsearch", attributes are displayed all in the order:
- actionDate
- commentContent
- commentId
Now I use the Ocaml LDAP binding (ocamldap) to add several entries.
While searching again, entries added with shell+ldap has the same
atribute order display, but the ones added through the Ocaml binding
are displayed in a different order. That mean while displaying all the
objects (stricly of the same objectClass), I have a mixed attribute
order display.
How could I force openLDAP to always display attributes in the same
order for one objectClass?
Misaotra, Thanks, Merci.
--
Architecte Informatique chez Blueline/Gulfsat:
Administration Systeme, Recherche & Developpement
+261 34 29 155 34 / +261 33 11 207 36
13 years, 7 months
password change hangs: bug?
by Stefano Zanmarchi
Hi,
I'm running slapd 2.4.9 on Solaris10.
I searched with no result: does anyone know if there is a bug on 2.4.9
regarding password changes?
I'd like to know if newer releases have bug fixes specifically for this
issue
This is what happened to me.
I have a client performing many password changes, which usually results in
my logs like this:
...
Feb 19 12:17:33 db1 slapd[49]: [ID 848112 local4.debug] conn=591 fd=22
ACCEPT from IP=192.168.2.253:49108 (IP=0.0.0.0:12312)
Feb 19 12:17:33 db1 slapd[49]: [ID 215403 local4.debug] conn=591 op=0 BIND
dn="uid=mario.rossi(a)unipd.it,ou=people,dc=unipd,dc=it" method=128
Feb 19 12:17:33 db1 slapd[49]: [ID 600343 local4.debug] conn=591 op=0 BIND
dn="uid=mario.rossi(a)unipd.it,ou=people,dc=unipd,dc=it" mech=SIMPLE ssf=0
Feb 19 12:17:33 db1 slapd[49]: [ID 588225 local4.debug] conn=591 op=0 RESULT
tag=97 err=0 text=
Feb 19 12:17:33 db1 slapd[49]: [ID 270379 local4.debug] conn=591 op=1 EXT
oid=1.3.6.1.4.1.4203.1.11.1
Feb 19 12:17:33 db1 slapd[49]: [ID 461300 local4.debug] conn=591 op=1
PASSMOD new
Feb 19 12:17:33 db1 slapd[49]: [ID 875301 local4.debug] conn=591 op=1 RESULT
oid= err=0 text=
Feb 19 12:17:33 db1 slapd[49]: [ID 218904 local4.debug] conn=591 op=2 UNBIND
Feb 19 12:17:33 db1 slapd[49]: [ID 952275 local4.debug] conn=591 fd=22
closed
...
Always went fine, but yesterday this happened:
...
Feb 18 22:45:41 db1 slapd[21872]: [ID 848112 local4.debug] conn=3186 fd=22
ACCEPT from IP=192.168.2.253:49820 (IP=0.0.0.0:12312)
Feb 18 22:45:41 db1 slapd[21872]: [ID 215403 local4.debug] conn=3186 op=0
BIND dn="uid=maria.verdi(a)unipd.it,ou=people,dc=unipd,dc=it" method=128
Feb 18 22:45:41 db1 slapd[21872]: [ID 600343 local4.debug] conn=3186 op=0
BIND dn="uid=maria.verdi(a)unipd.it,ou=people,dc=unipd,dc=it" mech=SIMPLE ss
f=0
Feb 18 22:45:41 db1 slapd[21872]: [ID 588225 local4.debug] conn=3186 op=0
RESULT tag=97 err=0 text=
Feb 18 22:45:41 db1 slapd[21872]: [ID 270379 local4.debug] conn=3186 op=1
EXT oid=1.3.6.1.4.1.4203.1.11.1
Feb 18 22:45:41 db1 slapd[21872]: [ID 461300 local4.debug] conn=3186 op=1
PASSMOD new
...
that is, no "RESULT" for PASSMD and the client performing the password
change received no answer (hung), and this has caused us many problems.
Could it possibly be an openldap bug?
Thank you very much,
Stefano
13 years, 7 months
Server-Side Sort Overlay ordering problems
by Diego Lima
Hello,
I have enabled the server-side sorting overlay and I received the following
error on a search:
sssvlv: no ordering rule specified and no default ordering rule for
attribute uid
<= get_ctrls: n=1 rc=18 err="serverSort control: No ordering rule"
send_ldap_result: conn=1000 op=7 p=3
send_ldap_response: msgid=8 tag=101 err=18
ber_flush2: 50 bytes to sd 13
ldap_write: want=50, written=50
0000: 30 30 02 01 08 65 2b 0a 01 12 04 00 04 24 73 65 00...e+......$se
0010: 72 76 65 72 53 6f 72 74 20 63 6f 6e 74 72 6f 6c rverSort control
0020: 3a 20 4e 6f 20 6f 72 64 65 72 69 6e 67 20 72 75 : No ordering ru
0030: 6c 65 le
conn=1000 op=7 do_search: get_ctrls failed
Where should I specify the ordering rule for the uid attribute? The core
schema?
Thank you
--
Diego Lima
13 years, 7 months
ppolicy & sambaNTPassword
by Ralf Zimmermann
Hi all,
I have a problem with overlay ppolicy and samba. My samba backend is
openldap-2.4.20. I have a default ppolicy and a pwdCheckModule. If I change the
userPassword all works fine. I read the slapo-ppolicy man page and I know that
the only pwdAttribute is userPassword. If I change the userPassword with
smbpasswd the policy works also fine. But if I want to change the Password with
a Windows client the problem begins. The sambaNTPassword is set everytime to
the new Password because the ppolicy overlay checks only the userPassword.
So the both Passwords are different and there is no control for the
sambaNTPassword.
Exists any solution or a workaround for this problem.
Any help is appreciated.
Mit freundlichen Gruessen
Ralf Zimmermann
--
.''`. Ralf Zimmermann
: :' : SIEGNETZ.IT GmbH
`. `' Schneppenkauten 1a
`- 57076 Siegen
Tel.: +49 271 68193 13
Fax.: +49 271 68193 29
Amtsgericht Siegen HRB4838
Geschaeftsfuehrer: Oliver Seitz
Sitz der Gesellschaft ist Siegen
13 years, 7 months
Problem with nss-ldap using GSSAPI
by Wojtek Polcwiartek
Hello,
we use ldap as name source in our system (libnss-ldap).
Until now we used anonymous bind with LDAP and it worked fine.
Now we want to switch to GSSAPI (MIT Krb5), but getting names ('getent
passwd <name>') does not work: no result is returned/printed.
Strange is that, when we run the query in debug-mode (debug 7 in
/etc/ldap.conf), you can see the correct result in the debug part (in
"hexes") but at the end no result is printed .
The only error message we could see is:
res_errno: 14, res_error: <SASL(0): successful result: >, res_matched: <>
Querying LDAP with ldapsearch still works fine.
Do You have any idea how to get closer to the source of the problem?
We use Ubuntu Karmic as client (repo package) and Solaris10 (with
OpenLdap 2.4.16) as server.
Greetings!
--
Wojtek Polcwiartek
------
tubIT
TU-Berlin
Web : www.tubit.tu-berlin.de
Email : tubit(a)tu-berlin.de
Tel : +49.30.314.28000
13 years, 7 months
binding to an alias entry?
by Stefan Palme
Hi,
I have two ldap entries:
dn:cn=me,ou=users,dc=kapott,dc=org
objectclass:person
cn:me
userPassword:...
dn:cn=me,ou=imap,ou=groups,dc=kapott,dc=org
objectclass:alias
objectclass:extensibleObject
aliasedObjectName:cn=me,ou=users,dc=kapott,dc=org
cn:me
I can use the first DN to successfully bind to the LDAP server,
but not the second one. It would be nice to be able to use
"cn=me,ou=imap,ou=groups,dc=kapott,dc=org" as bind DN too, but
without duplicating the whole "person" entry with the userPassword.
Is this possible?
Thanks and regards
-stefan-
13 years, 7 months
