ldaprc with ldaps:// and ldap:// fallback
by manu@netbsd.org
Hello
I would like to setup a ldaprc so that an application uses:
- a localhost-base slapd without authentification (just relying on
filesystem permission on the slapd socket)
- if it is not available, a remote slapd, authenticating using client
certificate
Here is the desired ldaprc:
BASE dc=example,dc=net
URI ldapi:/// ldaps://ldap.example.net
TLS_CACERT /etc/openssl/ca.crt
TLS_CERT /etc/openssl/host.crt
TLS_KEY /etc/openssl/host.key
SASL_MECH EXTERNAL
TLS_REQCERT demand
Of course it will not work, as the ldapi:/// connection will present a
certificate. I have the feeling the setup I am looking for cannot be
configured. Is that right?
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu(a)netbsd.org
10 years, 9 months
openldap mysqlcluster and FreeRadius Schema
by Levent ILDENIZ
Hi,
i have a problem about openldap with mysqlcluster and with free radius
schema
i inserted freeradius schema statement in my slapd.conf when i create
any user with radiusprofile, i see below failure messages
*
/"ndb_oc_create: CREATE TABLE radiusprofile failed, Row size too large.
The maximum row size for the used table type, not counting BLOBs, is
8052. You have to change some columns to TEXT or BLOBs (1118)
ndb_back_add: ndb_entry_put_data failed (80) Tuple did not exist(626)/"*
how can i fix this?
--
Levent ILDENIZ
Bu mesaj ve onunla iletilen tum ekler gonderildigi kisi ya da kuruma ozel, gizlilik yukumlulugu tasiyor olabilir. Bu mesaj, hicbir sekilde, herhangi bir amac icin cogaltilamaz, yayinlanamaz ve para karsiligi satilamaz; mesajin yetkili alicisi veya alicisina iletmekten sorumlu kisi degilseniz, mesaj icerigini ya da eklerini kopyalamayiniz, yayinlamayiniz, baska kisilere yonlendirmeyiniz ve mesaji gonderen kisiyi derhal uyararak bu mesaji siliniz. Bu mesajin bilinen viruslere karsi kontrolleri yapilmistir. ISTANBUL UNIVERSITESI http://www.istanbul.edu.tr This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary,privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product.If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. ISTANBUL UNIVERSITY http://www.istanbul.edu.tr
10 years, 9 months
Re: How to change openldap database directory
by Mail Admin
Thanks Quanah/Mauricio/Chris for the reply.
In fact, that is the first thing I did, I get the following error when I
start ldap service.
Checking configuration files for slapd: bdb_db_open: Cannot access database
directory /var/vamail/ldap/mydomain.com (13)
Backend_startup_one: bi_db_open failed! (-1)
Slap_startup failed (test would succeed using the –u switch) [FAILED]
Stale lock files may be present in /var/vmail/ldap/mydomain.com [WARNING]
Permission looks exactly the same. Any idea why this error?
10 years, 9 months
RE: Can password-hash be database specific? also, storing and verifying cleartext passwords
by masarati@aero.polimi.it
>> -----Original Message-----
>> Is the 'password-hash' configuration function a server-wide setting
>> only
>> or can it be set to different values for separate databases?
>> I'm trying to add MAC-auth RADIUS functionality to my LDAP server
>> (openldap-2.4.21) and I need to store the password for the MAC
>> addresses
>> in cleartext. I also use the LDAP server for user login which I don't
>> want to keep in cleartext. So, my thought was to have 'password-hash
>> {SSHA}' for the users database, and 'password-hash {CLEARTEXT}' for the
>> RADIUS database, but it appears that it's a global so I'm pretty sure
>> this won't work.
>
> Yes, each database can have a different hashing mechanism set.
> http://www.openldap.org/software/man.cgi?query=slapd-config&apropos=0&sek...
I'm afraid that man page is incorrect. As far as I know, that directive
is global, not database specific. That's what I get from the code (and
what I remembered). You can check yourself by adding the directive and
inspecting the content of cn=config.
We need at least to fix the manpage.
p.
10 years, 9 months
OpenLDAP to replace Oracle Internet Directory
by Matheus Morais
Hi there,
I would like to share with this list my experiences with OpenLDAP
implementation at one financial company, which is currently my job, and they
use Oracle Internet Directory as their solution for LDAP service. This is my
third year at the company and in my early days I was responsible to make the
'dirty work' in order to keep OID (I will use acronym from now because the
name of the software is too large for keep writing :) working when the
senior analysts were too busy with other projects to fix or request a fix
for OID problems.
At some day those senior analysts left the company and I was blessed as the
'LDAP guy' by the managers. From that day I started to think by my own on
that and as a free software enthusiast plus my previous small experiences
with LDAP infrastructure turned my ideas for an obvious project, the
OpenLDAP. I will talk more about OpenLDAP later.
They have an interesting LDAP tree which has some design problems but in a
general way it is useful and support the company business process. From
infrastructure perspective its painful and the main reason is because the
replication technique which is absolutely inefficient in almost every
aspect, from performance to scalability. OID by itself is also a great
problem, it didn't respect RFC, has tons of stupid bugs that take an
eternity to get resolved, has a relational database as 'backend' and the
installation process is even worst. The replication is based on OID
changelog at database level and small applications, called agents written in
Java, are responsible to take that changes from database and replicate the
modifications across the slaves. So for each slave we have an java agent
querying Master and some thousand aditional rows at OID database. I don't
know much about why they decided to write their own replication tool instead
of using from OID but the old guys told me that Oracle replication software
(DIP) didn't work well and was a very bad piece of softaware, just as OID
BTW.
With that architecture we basically started to suffer from the following
problems:
1 - Performance with the Master
2 - Slave scalability
3 - Information integrity
The performance problem with Master was generated by the replication agents
which consume database resources to perform the replication. This first
problem also generates the second because we couldn't increase the number of
salves due to performance problems. OID bugs was also generating a
increadible number of inconsistencies in the tree.
>From that point I started a small project with first objetctive to avoid the
performance problems with Master. The project was based on OpenLDAP adoption
as replacements for OID slaves, an OpenLDAP Master would be created with two
more OpenLDAP slaves using Delta-syncrepl to replication. With OpenLDAP
slaves we could shutdown some replication agents and also the OID slaves
giving more 'air' to Master database breath.
The first OpenLDAP tests showed an unbelievable perfomance, 23560 entries
returned from a search in exaclty 4 seconds in average. The same operation
search against OID returned in 30 seconds average. The machine configuration
is almost the same, the only difference is that OID infrastructure require
two machines, one for oidldapd and other for Oracle DB and we also need a
DBA support BTW.
We've made a presentation to the managers showing the quality of OpenLDAP,
the overlay concept and how we could use that to improve in service
reliability and availability. We showed everything on our performance
comparisions and asked them to support us in that 'migration' project.
Two weeks ago we replaced the first OID infrastructure for OpenLDAP 2.4.22
and everyone here is enjoying how fast is the system response and how stable
is delta-syncrepl. I have evaluated with current numbers, that we will be
able to replace 4 OID to just 1 OpenLDAP infrastructure and that is really
pleasant. The entire migration is planned to happen in next november.
I want thank every one responsible to keep OpenLDAP project with that high
level of quality and I am really proud about that kind of quality has been
produced by a free software project (free as in freedom).
Thanks,
Matheus Morais
10 years, 9 months
Fwd: ldapsearch using entryCSN
by Pierre Laporte
Hi,
I'm trying to search entries in an OpenLDAP (v2.4.7) directory using their
last modification date as a criteria. Digging in the schemas, I couldn't
find an attribute that contained such a value. The only thing I found was
the internal attribute "entryCSN" used by OpenLDAP to manage
synchronization.
I tried to do several ldapsearch queries, but I couldn't manage to obtain a
decent result.
Using "(&(objectClass=groupOfUniqueNames))"
=> I get every group of the directory. I can see that lots of them were
modified in 2009
Related problem :
Using "(&(objectClass=groupOfUniqueNames)(entryCSN<=20091224))"
=> The slapd2.4 process stops without returning anything.
Using "(&(objectClass=groupOfUniqueNames)(entryCSN <= 20091224))"
(The same query with spaces)
=> I don’t get any result. Shouldn't I retrieve the entries modified before
2010/12/24 ?
Using "(&(objectClass=groupOfUniqueNames)(entryCSN >= 20091224))"
=> I don’t get any result. Shouldn't I retrieve the entries modified after
2010/12/24 ?
- Does anyone know how to filter entries using their entryCSN?
- Btw, is it even possible?
Best regards
--
Pierre Laporte
10 years, 9 months
Migration from Novell eDirectory to OpenLDAP
by Stefan-Michael Guenther
Hello,
has anyone on this list migrated the data of a Novell eDirectory into an
OpenLDAP Server?
Our first problem is that the schemas files of the eDirectoy contains
nearly the same information as the schema files of OpenLDAP, but the
structure of these files is completly different.
Thanks for any hints or suggestions,
Stefan
--
********************************************
in-put GbR - Das Linux-Systemhaus
Stefan-Michael Guenther
Geschaeftsfuehrer
Moltkestrasse 49 D-76133 Karlsruhe
Tel./Fax : +49 (0)721 / 6 80 32 88 - 0 / 3
http://www.in-put.de/
********************************************
Schulungen Installationen
Beratung Support
Voice-over-IP-Loesungen
********************************************
10 years, 9 months
limits based on the base being searched (rather than doing the searching)
by Francis Swasey
I have been requested to open up a specific branch of our DIT to allow
more than the default number of entries to be returned for searches by
anyone that get results from that branch.
My reading of the slapd.conf manual page indicates the requested limits
adjustment is not possible in the currently available OpenLDAP software
(I am running 2.4.22).
Have I missed something in my reading?
Thanks,
--
Frank Swasey | http://www.uvm.edu/~fcs
Sr Systems Administrator | Always remember: You are UNIQUE,
University of Vermont | just like everyone else.
"I am not young enough to know everything." - Oscar Wilde (1854-1900)
10 years, 9 months
Windows 7 users's authentication with openldap ?
by Frank Bonnet
Hello
Anyone knows if it is possible to authenticate users of a windows 7
client machine as we do with UNIX clients with pam_ldap + nss_ldap
to our openldap server ?
Thank you.
F
10 years, 9 months
How to change openldap database directory
by Mail Admin
Hello Team,
I am very new to Linux and Openldap. We have setup a mail server on CentOS,
Postfix, Dovecot, etc witth OpenLDAP as backend.
1) We want to change the daabase directory of Openldap from /var/lib/ldap to
/var/vmail/ldap . Could someone please let me know the settings I need to
make to achieve this?
2) I tried to creae /var/lib/ldap as a linked folder (actual database
located under /var/vmail/ldap). Permissions to the files and folders under
this were set exactly the same. when I start ldap service, i get the
following error:
backend_startup_one: bi_db_open failed! (-1)
slap_startup failed (test would succeed using the -u switch) [FAILED]
stale lock files may be present in /var/lib/ldap/dbname [WARNING]
If I remove the linked folder and copy the contents to /var/lib/ldap,
everything works perfectly fine. Is linked folder not going to work for
ldap? or am I missing something here? (Please note that the folder
/var/vmail is a separate LUN in the SAN).
I would like to achieve any one of the scinario mentioned above. Any help on
this would be highly appreciated.
Best Regards
PineMail Admin
10 years, 9 months