Unique Overlay Help
by Piyush Joshi
Dear Expert,
I have used unique overlay with my openldap install and
that's working now i want two of my attributes to be unique and that's not
possible currnetly.
Can it be added in following openldap releases or can any one make change in
unique overlay to perform the same.
--
Regards
******************************
Piyush Joshi
System administrator
9415414376
******************************
"Ability is what you're capable of doing. Motivation determines what you do.
Attitude determines how well you do it"
10 years, 9 months
Overlays and OpenLDAP multi-threading model
by Lucas Brasilino
Hi!
I'm starting to see how overlays works to write one. But I've got a
doubt and I'm asking
to be sure: Is the overlay stack called within each thread ? If so, I
think it can't block an
entire thread pool, right ?
My concern is about performance. The overlay I'm writing will only
take place in some
backend data modifications but it can be quite slow in terms of
OpenLDAP connection handling,
because it will be communicating via IPC with another process... If
this overlay blocks only one
connection, it's ok. But if it's blocks an entire thread pool, I'll
have to figure out another solution.
Thanks a lot in advance
Lucas Brasilino
10 years, 9 months
LDAP Account Manager
by Foo Bar
hi
thanks for your answers.
I have begin to test with the *LDAP Account Manager and it works. :-)
know my question.
**i** have create a user with a standard password.
i will when the user make his first login than the client make a request to
cange his password.
how can i create this on **LDAP Account Manager* or must i do this on the
openldap?
*
*
*
*
thx
m.enderlein
--
Mit freundlichen Grüßen / Best Regards
fooCCfoo
10 years, 9 months
Re-investigating ppolicy + chain issues on a consumer: chain configuration
by Siddhartha Jain
I am still stuck at the same place where a chained consumer allows a client to auth with a bad password. Remove chaining and bad passwords are no longer accepted.
To troubleshoot from scratch, I am curious about how chaining should be configured in the new ldif-based configuration scheme?
Initially, I created a slapd.conf with the appropriate chaining statements and converted that file to "slapd.d". The conversion places all the chaining config under the "frontend" database.
: [0115] root@ldaps01:olcDatabase={-1}frontend # ; ls -lR
.:
total 8
drwxr-x--- 2 ldap ldap 4096 Jun 24 00:30 olcOverlay={0}chain
-rw------- 1 ldap ldap 433 Jun 22 23:00 olcOverlay={0}chain.ldif
./olcOverlay={0}chain:
total 8
-rw------- 1 ldap ldap 591 Jun 23 23:53 olcDatabase={0}ldap.ldif
-rw------- 1 ldap ldap 893 Jun 24 00:30 olcDatabase={1}ldap.ldif
Interestingly, it creates two "ldap" databases for a single "chain" overlay. Can someone please explain why/how is this so? Why does chaining go to "frontend" db instead of being under the database that is chained? I tried to create the "ldap" databases under a "bdb" database but OpenLDAP won't allow that.
Thanks,
Siddhartha
10 years, 10 months
data for search_base and bind_dn in postfix config.
by sam
Hi,
With Openldap 24, postfix 2.8,
I want to add the following entries in mydestination.cf file into my
openldap database,
Content of file mydestination.cf:
server_host = 127.0.0.1
server_port = 389
search_base = lookupName=mydestination,cn=postfix,cn=mailstore,ou=server,ou=edv,dc=example,dc=net
scope = sub
timeout = 30
bind = yes
bind_dn = cn=postfix,ou=system,ou=accounts,dc=example,dc=net
bind_pw = XXXXXXXXXX
version = 3
start_tls = no
query_filter = (lookupKey=%s)
result_attribute = lookupValue
My current openldap entry is shown below:
# cat initial.ldif
dn: dc=ip6,dc=com,dc=au
objectClass: top
objectClass: dcObject
objectClass: organization
o: IP6 Networks
dc: ip6
# super user node
dn: cn=root,dc=ip6,dc=com,dc=au
objectclass: organizationalRole
objectclass: simpleSecurityObject
cn: root
description: LDAP administrator
userPassword: {MD5}cW2LX0AjZxSBzv/mflD3xQ==
According to my current initial openldap database entries, can I change
the entires in the mydesitination.cf file into the following data?
search_base = lookupName=mydestination,cn=postfix,ou=hometest,dc=ip6,dc=com,dc=au
scope = sub
timeout = 30
bind = yes
bind_dn = cn=postfix,ou=accounts,dc=ip6,dc=com,dc=au
bind_pw = {MD5}cW2LX0AjZxSBzv/mflD3xQ==
Very appreciate for any suggestion and help.
Thanks
Sam
10 years, 10 months
openldap pwdReset
by Allgood, John
Hey All
I have a question for you all. I am using openldap 2.4.31 on Centos 5.5 and using the ppolicy overlay. I have also compiled the smbk5 module to update the samba attr when the user password is updated. My problem is to change the password and have the samba password update I have to use ldappasswrd which works great. If I force a pwdReset and login via gdm the password program take over and sets the posix password but this does not change the samba side nor does it adhere to the ppolicy. I am thinking this may something related to /etc/pamd/system-auth file but not sure. Any feedback would be appreciated.
John Allgood
Senior Systems Administrator
OHL Transportation Services
2251 Jesse Jewell Pky. NE
Gainesville, GA 30507
tel: (678) 989-3051 fax: (770) 531-7878
jallgood(a)ohl.com<mailto:jallgood@ohl.com>
www.ohl.com<http://www.ohl.com>
______________________________________________________
This e-mail transmission may contain information that is proprietary, privileged and/or confidential and is intended exclusively for the person(s) to whom it is addressed. Any use, copying, retention or disclosure by any person other than the intended recipient or the intended recipient's designees is strictly prohibited. If you are not the intended recipient or their designee, please notify the sender immediately by return e-mail and delete all copies.
10 years, 10 months
Copying trees from one consumer to another
by Nick Urbanik
Dear Folks,
With slurpd, copying a tree from one slave to another was like this:
1. stop slapd on both slaves.
2. netcat the directory across from one slave to the other.
3. stop slurpd on master
4. edit slurpd.status to make the time and replication number match
by copying that for the source to that for the destination slave.
5. start everything back up.
My question with syncrepl is:
How do I copy the database for a tree from one consumer to another
consumer (of the same producer) so that the newly copied replica knows
where its replication should continue from?
Is the state for replication of the database stored in the contextCSN
of the suffix entry?
If so, does that mean that with syncrepl, the above operation is
reduced to the following three steps?
1. Stop slapd on both consumers.
2. Netcat the database from one to the other.
3. start both consumers.
--
Nick Urbanik http://nicku.org 808-71011 nick.urbanik(a)optusnet.com.au
GPG: 7FFA CDC7 5A77 0558 DC7A 790A 16DF EC5B BB9D 2C24 ID: BB9D2C24
I disclaim, therefore I am.
10 years, 10 months
Re: smbk5pwd: ldappassword hangs
by Frank Van Damme
2010/6/10 Quanah Gibson-Mount <quanah(a)zimbra.com>:
> --On Thursday, June 10, 2010 1:36 PM +0200 Frank Van Damme
> <frank.vandamme(a)gmail.com> wrote:
>
>> 2010/6/7 Quanah Gibson-Mount <quanah(a)zimbra.com>:
>>>
>>> --On Monday, June 07, 2010 11:56 AM +0200 Frank Van Damme
>>> What version of OpenLDAP are you using? You've failed to mention that
>>> anywhere.
>>
>> 2.4.11 (Debian 5.0).
>
> There have been multiple fixes to smbk5pwd since that release. Plus
> hundreds of fixes elsewhere in the software. I would highly advise you to
> upgrade to a current release, and most specifically to build OpenLDAP with
> OpenSSL rather than GnuTLS. Once you've done that, then see if you continue
> to have issues.
>
> --Quanah
I did so.
I had some rough times trying to get through the compilation process (of
version 2.4.21), because test 44 kept failing - then I disabled the
dynlist overlay which tests the dynlist and compilation succeeded fine.
The server works, too.
But the original problem has not gone away. As soon as I try
ldappasswd-ing with the smb5kpwd overlay enabled, the process hangs (at
least, if authentication of the user I test this with, succeeds). The
module is off course compiled from the contrib tree of 2.4.21.
--
Frank Van Damme
A: Because it destroys the flow of the conversation.
Q: Why is it bad?
A: No, it's bad.
Q: Should I top post in replies to mailing lists or on Usenet?
10 years, 10 months
How to change OpenLDAP database directory
by Mail Admin
Hello,
I am very new to Linux and Openldap. We have setup a mail server on CentOS,
Postfix, Dovecot, etc witth OpenLDAP as backend.
1) We want to change the daabase directory of Openldap from /var/lib/ldap to
/var/vmail/ldap. Could someone please let me know the settings I need to
make to achieve this?
2) I tried to creae /var/lib/ldap as a linked folder (actual database
located under /var/vmail/ldap). Permissions to the files and folders under
this were set exactly the same. when I start ldap service, i get the
following error:
backend_startup_one: bi_db_open failed! (-1)
slap_startup failed (test would succeed using the -u switch) [FAILED]
stale lock files may be present in /var/lib/ldap/dbname [WARNING]
If I remove the linked folder and copy the contents to /var/lib/ldap,
everything works perfectly fine. Is linked folder not going to work for
ldap? or am I missing something here? (Please note that the folder
/var/vmail is a separate LUN in the SAN).
I would like to achieve any one of the scinario mentioned above. Any help on
this would be highly appreciated.
Best Regards
PineMail Admin
10 years, 10 months
Configuring slapd.conf-less OpenLDAP
by Braden McDaniel
I'm trying to get OpenLDAP up and running on Fedora (12) using the
cn=config-based configuration.
I've changed /etc/openldap/slapd.d/cn=config/oldCatabase={1}bdb.ldif to
point to my domain:
olcSuffix: dc=endoframe,dc=net
olcRootDN: cn=Manager,dc=endoframe,dc=net
And I've added:
olcRootPW: [slappasswd output]
However, I haven't had any luck using this password:
# ldapadd -x -D "cn=Manager,dc=endoframe,dc=net" -W -f Manager.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
Is there some other way I should be specifying the password?
--
Braden McDaniel <braden(a)endoframe.com>
10 years, 10 months