openldap-technical January 2011

openldap-technical@openldap.org

91 participants
107 discussions

Subscribe question
by Stanczak Slawomir 28 Jan '11

28 Jan '11

I'm not developer of OpenLDAP Software. I'm ordinary end user. OpenLDAP Software discussion list is now shutdown. Can you tell what does it mean? Where can I send my questions when I have a problems with new OpenLDAP sotfware? Really on OpenLDAP-technical list? And maybe OpenLDAP team not supporting software discussion list for ordinary end user now? I'm very sorry but I don't understand this at all. Send me please short information about it. Regards Slawomir Stanczak

2 1

RE: openldap-technical Digest, Vol 38, Issue 26
by Alexey Shalin 27 Jan '11

27 Jan '11

Hello, can you please help me pwdExpireWarning I have setuped pwdExpireWarning 300 *5 min* then UI updated password for user 0000: 30 6d 02 01 02 64 68 04 1f 75 69 64 3d 6d 61 78 0m...dh..uid=max 0010: 2c 6f 75 3d 75 73 65 72 73 2c 6f 75 3d 74 72 61 ,ou=users,ou=tra 0020: 6e 73 6d 61 73 74 65 72 30 45 30 1e 04 0b 6f 62 nsmaster0E0...ob 0030: 6a 65 63 74 43 6c 61 73 73 31 0f 04 0d 69 6e 65 jectClass1...ine 0040: 74 4f 72 67 50 65 72 73 6f 6e 30 23 04 0e 70 77 tOrgPerson0#..pw 0050: 64 43 68 61 6e 67 65 64 54 69 6d 65 31 11 04 0f dChangedTime1... 0060: 32 30 31 31 30 31 32 38 30 37 35 34 33 31 5a 20110128075431Z After 5 minutes, if a user tries to connect to the database, it must issue a message, right ? -------------------------------------------------- This attribute controls whether and when a warning message of password expiration will be returned on a bind attempt. -------------------------------------------------- But nothing happen.. :( I have this ppolice : dn: cn=std, ou=ppolicy, ou=transmaster pwdCheckModule: check_password.so pwdMaxFailure: 6 pwdMustChange: TRUE pwdAttribute: userPassword pwdMinLength: 7 pwdSafeModify: FALSE pwdInHistory: 4 pwdGraceAuthNLimit: 3 pwdCheckQuality: 1 objectClass: pwdPolicy objectClass: top objectClass: device objectClass: pwdPolicyChecker pwdLockoutDuration: 60 cn: std pwdAllowUserChange: TRUE pwdExpireWarning: 300 pwdLockout: TRUE Thank you -----Original Message----- From: openldap-technical-bounces(a)OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of openldap-technical-request(a)OpenLDAP.org Sent: Thursday, January 27, 2011 6:00 PM To: openldap-technical(a)openldap.org Subject: openldap-technical Digest, Vol 38, Issue 26 Send openldap-technical mailing list submissions to openldap-technical(a)openldap.org To subscribe or unsubscribe via the World Wide Web, visit http://www.openldap.org/lists/mm/listinfo/openldap-technical or, via email, send a message with subject or body 'help' to openldap-technical-request(a)openldap.org You can reach the person managing the list at openldap-technical-owner(a)openldap.org When replying, please edit your Subject line so it is more specific than "Re: Contents of openldap-technical digest..." Send openldap-technical mailing list submissions to openldap-technical(a)openldap.org When replying, please edit your Subject: header so it is more specific than "Re: openldap-technical digest..." Today's Topics: 1. Re: Replication monitoring (Andreas Andersson) 2. Re: Replication monitoring (Peter Boosten) 3. Re: problem with limits configuration (Dan Pritts) 4. Re: Replication monitoring (Peter Boosten) 5. Re: Replication monitoring (Peter Boosten) 6. Re: Failover Failure Advice (Anton Chu) 7. Re: Failover Failure Advice (Quanah Gibson-Mount) 8. Re: Failover Failure Advice (Chris Jacobs) 9. Re: slapd logging in chroot() environment (Peter Palmreuther) 10. Re: slapd logging in chroot() environment (Dieter Kluenter) 11. meta directory backend and rewriting option '|' (Lehnert, Hartmut) 12. constraint overlay question (jarek) 13. openldap memberof attribute (Vincent Li) 14. deleting schema elements from cn=config (Tim Gustafson) 15. Re: openldap memberof attribute (Michael Str?der) 16. MemberOf attribute not being returned (Mark Cairney) ---------------------------------------------------------------------- Message: 1 Date: Wed, 26 Jan 2011 19:32:22 +0100 From: Andreas Andersson <zreoxx(a)gmail.com> To: Peter Boosten <peter(a)boosten.org> Cc: openldap-technical(a)openldap.org Subject: Re: Replication monitoring Message-ID: <7705A370-58E9-4D18-ACF1-9E287851835E(a)gmail.com> Content-Type: text/plain; charset="windows-1252" Hi! Thanks. Made a note about the config directory. I've focused on following the FHS: http://www.pathname.com/fhs/ As it is a symlink it should be possible to put the config directory wherever you want (I guess that's what you did). How about replication verification? Can you confirm that its working? Regards - Andreas On Jan 26, 2011, at 10:19 AM, Peter Boosten wrote: > > On 24 jan 2011, at 18:55, Andreas Andersson wrote: > >> As always? I appreciate all feedback I can get > > > This actually looks quite decent: it needs some tinkering if you do not follow the installation guide (I don't want my /etc directory cluttered with software installed by me, for FreeBSD that's /usr/local/etc), but it's nice and easy to use. > > > -- > Peter Boosten > http://www.boosten.org > > >

1 0

slapo-cache and searches by dynlist (with !)
by Angel L. Mateo 27 Jan '11

27 Jan '11

Hello, I'm trying to use pcache overlay to cache queries done by dynlist overlay. This is the configuration I have: database hdb suffix <userSuffix> ... overylay dynlist dynlist-attrset labeledURIObject labeledURI # This is because, data obtained by dynlist is in another ldap directory database ldap suffix dc=mydomain,dc=com access ... uri ldap:/<anotherldap> ... overlay pcache pcache hdb 1000 1 10 60 pcacheAttrset 0 irisClassifCode sn1 givenName pcacheMaxQueries 10000 pcacheTemplate (&(objectClass=)(irisPersonalUniqueId=)) 0 3600 directory /var/lib/ldap/cachepublica cachesize 100 The pcacheTemplate is because labeledURI attributes are in the form: labeledURI: ldap:///dc=mydomain,dc=com?irisClassifCode,sn1,givenName?one? (irisPersonalUniqueID=<someCode>) The final search done in the final ldap directory is: filter="(&(!(objectClass=labeledURIObject))(irisPersonalUniqueID=<someCode>))" so I think I need to negate the search in the pcacheTemplate, but I can't because I get the error: /etc/ldap/slapd.conf: line 419: unable to parse template: AttributeDescription contains inappropriate characters. whenever I try to put the '!' in the template. Is there any way to cache this kind of query? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica _(___V Tfo: 868887590 Fax: 868888337

1 0

MemberOf attribute not being returned
by Mark Cairney 27 Jan '11

27 Jan '11

Hi, I'm sure this was working in the past on this server but Im now not getting anything returned when I request the memberOf attribute. I compiled OpenLDAP 2.4.23 with the following flags: ./configure --prefix=/usr/local/authz --enable-meta --enable-ldap --enable-bdb --enable-monitor --enable-syncprov --enable-translucent --enable-memberof --enable-dyngroup --enable-dynlist --with-threads --with-tls --with-cyrus-sasl --enable-syslog --enable-spasswd cd make depend make make test make install I'm using slapd.d and I have the following in /usr/local/authz/etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb olcOverlay={0}dynlist.ldif olcOverlay={1}memberof.ldif olcOverlay={2}syncprov.ldif The contents of olcOverlay\=\{1\}memberof.ldif are: dn: olcOverlay={1}memberof objectClass: olcOverlayConfig objectClass: olcMemberOf olcMemberOfDangling: ignore olcMemberOfRefInt: FALSE olcMemberOfGroupOC: posixGroup olcMemberOfMemberAD: member olcMemberOfMemberOfAD: memberOf structuralObjectClass: olcMemberOf entryUUID: 4d5a3aa8-fbac-45c9-b259-941d13e02724 creatorsName: cn=config createTimestamp: 20100318151149Z entryCSN: 20100318151149.488341Z#000000#003#000000 modifiersName: cn=config modifyTimestamp: 20100318151149Z olcOverlay: {1}memberof The log is attached. -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. Any ideas? The only thing I've changed recently is the ACLs Kind regards, Mark /********************************* Mark Cairney ITI UNIX Section Information Services University of Edinburgh Tel: 0131 650 6565 Email: mark.cairney(a)ed.ac.uk *********************************/

2 2

RE: MemberOf attribute not being returned
by Mark Cairney 27 Jan '11

27 Jan '11

Nevermind, I think I know what's happening. My user account was updated on our current live server running OpenLDAP 2.3 which doesn't have the MemberOf overlay. When this change was applied using syncrepl the memberOf field must have been removed. I'll take the old server out of the syncrepl but in the meantime is there any way to ensure this field is preserved when provisioning accounts in LDAP? Kind regards, Mark /********************************* Mark Cairney ITI UNIX Section Information Services University of Edinburgh Tel: 0131 650 6565 Email: mark.cairney(a)ed.ac.uk *********************************/ -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.

1 0

openldap memberof attribute
by Vincent Li 27 Jan '11

27 Jan '11

Hi, I am doing remote authentication using OpenLDAP to login BIGIP, BIGIP has a feature called remoterole to search attribute 'memberof' from LDAP server and once found the attribute, assign the remote user a role defined in various groups like admin, operator... the feature works for Active Directory, but I am unable to make it work for OpenLDAP, I couldn't find 'memberof' attribute in OpenLDAP schema, so I created the 'memberof' attribute in core.schema as below: [root@centos-vli schema]# diff -u core.schema core.schema.orig --- core.schema 2011-01-24 23:54:42.000000000 -0800 +++ core.schema.orig 2011-01-24 23:46:11.000000000 -0800 @@ -345,10 +345,6 @@ DESC 'X.520(4th): pseudonym for the object' SUP name ) -attributetype ( 2.5.4.66 NAME 'memberof' - DESC 'RFC2256: member of a group' - SUP distinguishedName ) - # Standard object classes from RFC2256 # system schema @@ -425,7 +421,7 @@ objectclass ( 2.5.6.9 NAME 'groupOfNames' DESC 'RFC2256: a group of names (DNs)' SUP top STRUCTURAL - MUST ( member $ memberof $ cn ) + MUST ( member $ cn ) MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) ) objectclass ( 2.5.6.10 NAME 'residentialPerson' and here is my sample ldif file: dn: ou=groups,dc=example,dc=com objectclass:organizationalunit ou: groups description: generic groups branch # create the itpeople entry under groups dn: cn=administrator,ou=groups,dc=example,dc=com objectclass: groupofnames cn: administrator description: bigip admin group member: uid=user5,ou=people,dc=example,dc=com dn: uid=user5,ou=People,dc=example,dc=com uid: user5 cn: user5 objectClass: top objectClass: posixaccount objectClass: shadowaccount objectClass: groupOfNames userPassword: secret shadowLastChange: 14997 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 505 gidNumber: 505 homeDirectory: /home/user5 member: cn=administrator,ou=groups,dc=example,dc=com memberof: cn=administrator,ou=groups,dc=example,dc=com I can login BIGIP fine with user5, but I can't get the administrator role defined in BIGIP, is it something I configured wrong in OpenLDAP or the problem is on BIGIP Thanks Vincent

2 1

constraint overlay question
by jarek 27 Jan '11

27 Jan '11

Hello! I'd like to configure constraint for email attribute, where email is constructed from DN in the following way: DN: uid=user, ou=emails, ou=domain.name, ou=domaingroup, ROOT_DN => email: user(a)dmain.name Is it possible ? best regards JT.

1 0

slapd logging in chroot() environment
by Peter Palmreuther 26 Jan '11

26 Jan '11

Hello, I'm running OpenLDAP 2.4.20 in a chroot()-ed environment on Solaris 10. I somehow don't get logging working. I don't see any logging making it's way through syslog. Nor do I get messages to an explicitly configured "logfile". "loglevel" is set to "stat". As soon as I start slapd using "-d ..." I see the messages in the "logfile" configured. Using "truss" I see unsuccessful tries to open "/var/run/syslog_door" until I mount -F lofs /var/run /var/openldap/var/run (with "/var/openldap" being my chroot-directory). Unluckily still no syslog logging. using "pfiles <PID>" I see slapd has got a file handle to "logfile" open. But there's not "write" to this handle in truss output either. Anybody with any idea about if and how chroot-slapd and syslog (or logfile) works? Thanks in advance. -- Best regards, Peter

3 4

deleting schema elements from cn=config
by Tim Gustafson 26 Jan '11

26 Jan '11

Hi, I'm trying to understand how to delete a schema element. I'm running slapd 2.4.23 on FreeBSD 8.1. When I try to run ldapdelete: ldapdelete -H ldap://localhost -D uid=tjg,cn=config -W -x 'cn={7}java,cn=schema,cn=config' I get the following in the log file: ---------- daemon: read activity on 18 daemon: select: listen=6 active_threads=0 tvp=zero connection_get(18) connection_get(18): got connid=1068 connection_read(18): checking for input on id=1068 op tag 0x4a, time 1296090324 conn=1068 op=1 do_delete >>> dnPrettyNormal: <cn={7}java,cn=schema,cn=config> daemon: activity on 1 descriptor <<< dnPrettyNormal: <cn={7}java,cn=schema,cn=config>, <cn={7}java,cn=schema,cn=config> conn=1068 op=1 DEL dn="cn={7}java,cn=schema,cn=config" send_ldap_result: conn=1068 op=1 p=3 send_ldap_result: err=53 matched="" text="" send_ldap_response: msgid=2 tag=107 err=53 daemon: waked daemon: select: listen=6 active_threads=0 tvp=zero conn=1068 op=1 RESULT tag=107 err=53 text= daemon: activity on 1 descriptor daemon: activity on: 18r ---------- cn={7}java,cn=schema,cn=config is empty; I've already deleted all the objectClass and attribute definitions from it, but now it seems I can't delete the schema entry itself. What am I doing wrong? Tim Gustafson Baskin School of Engineering UC Santa Cruz tjg(a)soe.ucsc.edu 831-459-5354

1 0

problem with limits configuration
by Dan Pritts 26 Jan '11

26 Jan '11

Hi all, I'm having trouble with the limits configuration in slapd.conf. I've searched the mailing list, read and re-read man pages, but I just cannot make it work properly. i've got openldap 2.4.23 built from source on RHEL5, 64-bit I'm trying to set "unlimited" size for for my syncrepl user. however, it is not directly related to syncrepl, I've tried with ldapsearch too, similar results. Here is the ldapsearch command i'm trying: ldapsearch -z 19 -x -w PASSWORDHERE -D cn=ldap_repl,ou=srvaccts,dc=internet2,dc=edu -H ldaps://ldap3.internet2.edu/ -b dc=internet2,dc=edu '(cn=*)' With this, query is limited to 19 entries as expected but when i omit the -z option, or tell it anything above 500, and i get, of course, 500 entries. Here is the limits statement from my slapd.conf: limits dn.exact="cn=ldap_repl,ou=srvaccts,dc=internet2,dc=edu" size=unlimited time=unlimited I also tried these: limits dn.exact="cn=ldap_repl,ou=srvaccts,dc=internet2,dc=edu" size=999999999 limits dn.exact="cn=ldap_repl,ou=srvaccts,dc=internet2,dc=edu" size=10000 If I instead use sizelimit size=unlimited my ldapsearch command of course gives me full results. Please help, I am clearly a knuckle-dragger. thanks, danno Dan Pritts, Sr. Systems Engineer Internet2 office: +1-734-352-4953 | mobile: +1-734-834-7224

2 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical January 2011