Well, if your automount-informations are not the same on both OSes then you
clearly have to duplicate/arrange them ;).
People here use several programs which save the working directory for each
project. That (and the fact that users can log onto whatever worstation they
want to) makes me mount all the nfs directories in the same place on each
2011/10/28 myron <kowalskM(a)cs.moravian.edu>
> I ran into the same config issue. I ended up duplicating the maps because I
> had the macs mount on /home and linux on /users;
> otherwise, I would have just renamed the auto maps on either OS to be the
> Myron Kowalski
> MoCoSIN Network/Systems Administrator
> Moravian College
> On Oct 28, 2011, at 10:13 AM, Frava wrote:
>> I'm configuring Autofs maps via OpenLDAP for some OS X (10.5/6/7) and
>> Linux CentOS (5/6) boxes, and I'm running into a little problem.
>> OS X needs to have an "automountMapName=auto_master" and
>> "automountMapName=auto_home" located in "cn=automountMap,dc=subnet,dc=**
>> Linux needs to have an "automountMapName=auto.master" and
>> "automountMapName=auto.home" located wherever I want in
>> The entries contained in "automountMapName=auto_home" and
>> "automountMapName=auto.home" will be exactly the same ones; SO
>> what is the best way to implement it without duplicate them ? Using
>> aliases or rwm+relay ?
Am 28.10.2011 09:44, schrieb Stewart Walters:
> On any given Linux system (assuming that's what your using), NSS and PAM do all the authentication.
> In terms of client tools, they link to (and therefore leverage) NSS and PAM, which OpemLDAP plugs in to.
> It's often irrelevant if you use ntlm_pam, mschap, samba+winbind, pam_ldap, freeradius, Authz or any other client tool. They all link back to NSS and PAM, which when configured correctly plugs in to OpenLDAP.
Ok thanks but if I don't missunderstand the documentation, then it only
works with clear passwords? But is it save enough then? Because peap
isn't supported then, too.
> On 28/10/2011, at 2:49 PM, Andreas Rudat <rudat(a)endstelle.de> wrote:
>> Am 28.10.2011 04:28, schrieb Stewart Walters:
>>> Freeradius already supports posixAccount attributes for LDAP account authentication - check the Freeradius website for a howto.
>>> Freeradius and OpenLDAP also supports the storing of 802.1x attributes using the RADIUS schema.
>>> There are numerous howto's available on the web for how to implement either.
>>> On 28/10/2011, at 3:28 AM, Andreas Rudat <rudat(a)endstelle.de> wrote:
>>>> I got openldap running as user db for samba, now I want to use it also
>>>> as database for radius, I think it should be possible to use it without
>>>> big modifications or?
>> ok thanks, I will look. Another question is, does I need any other
>> client tools for windows/linux? At the moment I'm using ntlm_auth + mschap
>> -----BEGIN PGP PUBLIC KEY BLOCK-----
>> Version: GnuPG v2.0.17 (MingW32)
>> -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.17 (MingW32)
-----END PGP PUBLIC KEY BLOCK-----
Am 28.10.2011 04:28, schrieb Stewart Walters:
> Freeradius already supports posixAccount attributes for LDAP account authentication - check the Freeradius website for a howto.
> Freeradius and OpenLDAP also supports the storing of 802.1x attributes using the RADIUS schema.
> There are numerous howto's available on the web for how to implement either.
> On 28/10/2011, at 3:28 AM, Andreas Rudat <rudat(a)endstelle.de> wrote:
>> I got openldap running as user db for samba, now I want to use it also
>> as database for radius, I think it should be possible to use it without
>> big modifications or?
ok thanks, I will look. Another question is, does I need any other
client tools for windows/linux? At the moment I'm using ntlm_auth + mschap
I have an LDAP server running with all users and respective groups say (
a.example.net). I was wondering if there is any way I could separate user
subtree into another OpenLDAP server (b.example.net) and still be able to
define those users as member of groups in a.example.net (for a new
requirement). Basically I want to separate user repository (which is global)
from all other subsystems like my groups or organization units which
contains these users as members. If its possible, please point me to the
documentation, I tried searching all over but could not find enough example
of Referrals or proxying. Another thing I would like to understand that is
it a good idea to create another directory server just for user
authentication and read, how common it is? Or should I consider replication?
Thanks for the help and support.
I've been developing an overlay and I got to a well working solution.
But,I would really appreciate your opinions about it before sending it to
You can see my source on my site:
Since I'm a student and I needed to this for my stage,
I'will have to write a rapport on how to write an overlay for OverLDAP,
I'll be glad to share it as a tutorial for the next overlay developers.
i'm running openldap with password policy overlay. after the overlay installation and configuration, we cannot change the passwords anymore.
ldappasswd -D cn=username,dc=domain,dc=tld -S -W
New password: ********
Re-enter new password: ********
Enter LDAP Password: ********
Result: Constraint violation (19)
Additional info: Password policy only allows one password value
this is my default password policy:
sn: Default Password Policy
this is my password policy configuration:
Does anyone know what to do?
Thanks in advance for any reply,
Having migrated from slapd.conf, I would like to ask some questions
regarding cases/scenarios where someone - unintentionally - breaks the
So, let's assume that, due to some misspelling or use of wrong values
(esp. when using a graphical LDAP Browser - like JXplorer - to maintain
the configuration DIT), we have added/modified a setting that would
break the installation without warning.
Are there cases where:
1/ LDAP Server will stop immediately? (It is stated that "Beware: You
can configure cn=config to an unusable state.", ref. with example:
2/ LDAP Server will continue to operate but, if stopped, when restarted
it will not be able to restart?
If the answer to Q1.2 above is yes:
How can we test at any given point the current configuration to make
sure it will be OK if/when restarted (AFAIK, slaptest only tests
slapd.conf and not slapd.d configuration)?
*Question 3* (especially critical if the answer to Q1.1 or Q1.2 above is
If the server is stopped, how can we change manually the config settings
(e.g. by editing slapd.d/ files) to attempt to correct it?
(In one such test I did, I changed - directly in "cn=config.ldif" file -
olcLogLevel as follows:
New state (removed one attribute value and changed the other):
and when I tried to start I got:
ldif_read_file: checksum error on
so I had to re-edit the file and change the values as they were
initially, which allowed the server to start.
So (to *repeat Question 3*), how can we "re-engineer" cn=config settings
when off-line? It is always desirable to be able to do some "low-level
engineering" to the configuration (under administrator's or system
engineer's responsibility) in case something goes wrong. This is also
important in cases of "cloning" the server where we want a copy of the
config but we need to change a few settings in the new context. We need
to avoid things like "checksum error"!
Finally, there might be cases where - after having migrated and worked
for a period using cn=config - business/technical needs require the use
of overlay(s) or other modules like SLAPI, which would not be supported
by cn=config and someone would need to move to slapd.conf configuration
(at least temporarily). If such a need arises,
Is there a tool/method to "migrate" to slapd.conf from a slapd.d
Thanks in advance,
Anybody want to comment with regards to what version of bdb they have in use
& what they recommend ?
Personally i have in installations running 4.8 and 5.2, and both seem fine.
*The only thing that interferes with my learning is my education.*