openldap-technical November 2011

openldap-technical@openldap.org

80 participants
91 discussions

Question to an ACL
by Andreas Rudat 18 Nov '11

18 Nov '11

Hi, I'm trying to understand these acl's: {0} to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword by dn="cn=admin,dc=foo,dc=bar" write <--admin can read/write by anonymous auth <--anonyomous can auth by self write <--- object owner can read/write by * none <--all other users denied {1}to dn.base="" by * read <-- all can read the root dc=foo, dc=bar {2}to * by dn="cn=admin,dc=studsemi,dc=intern" write <-- by * read so with acl 0: users and admin can read/write passwords, all others can do nothing with that acl 1: ALL can read the root dc=foo,dc=bar acl 2: all other attributes can be read by all others and only admin can also modify all other attributes? so if that is correct, then I think acl 1 isnt needed? Thanks

2 3

MDB (Memory-Mapped Database) for OpenLDAP at UKUUG Spring 2012
by Jan-Piet Mens 18 Nov '11

18 Nov '11

Just a short heads-up for those interested in MDB: I note Howard Chu will be speaking at the Spring 2012 UKUUG conference in Edinburg, UK. More details at [1]. -JP [1]: http://www.flossuk.org/Events/Spring2012/Talks

1 0

trigger script on change to db
by E.S. Rosenberg 16 Nov '11

16 Nov '11

I was wondering is it possible to set a slapd syncprov consumer to trigger a script when it receives changes to the db (updates of specific attributes). Basically we have a bunch of flat files that are created and maintained based on information kept in slapd which need to either: - run every X time and just dumbly regenerate the files. - run every X time and somehow establish whether changes happened before regenerating the files (maybe by using the contextCSN attribute of the root object) - run whenever a change happens In a situation with not too many changes the third option is best, and in situations with lots of changes the second option is probably better. But is the third option even possible? Thanks and best regards, Eli

4 6

Search access does not return any result
by sim123 15 Nov '11

15 Nov '11

Hi All, I am playing with access controls on openldap 2.4.26, I have a user with search access on everything access to * by anonymous auth by dn="uid=102,ou=system,dc=example,dc=com" search And when I perform search I get nothing ldapsearch -H "ldap://testldap:389" -D "uid=102,ou=system,dc=example,dc=com" -b "ou=users,dc=example,dc=com" -x -W '(uid=1)' mail cn dn Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=users,dc=example,dc=com> with scope subtree # filter: (uid=1) # requesting: mail cn dn # # search result search: 2 result: 0 Success # numResponses: 1 so I get a success but no value, is it a valid response? I want to control access so that the "uid=102" user can do lookup from given attributes but can not do (objectClass=*) to get a list of every entry in the ldap. Thanks for the help

2 4

A question about Mirror mode sync
by Andrew Liu 15 Nov '11

15 Nov '11

Hi All, I set up two machines as LDAP server under mirror replication mode using openldap-2.4.26。 I found a problem: when a server was down, any LDAP *add *operation on the running server will not propagate *immediately *to the previous down server after it has restarted, but the LDAP *delete* operation can do. and I found *after 5-10 *minutes, the *add *operation content can be found on the previous down server. but it seems the time is not constant. My question: How to enable the add operations content to propagates to the previous down server *immediately*? I have ever tried "-c rid=001,sid=001,csn=0 " to force a full load, but didn't take effect. I read the OpenLDAP doc, found the session-log doesn't include add operation, what's sync mechanism of the add operation. Thanks BRs, Andrew I

1 0

Overlays syncrepl and smbk5pwd
by Francesco Storti 15 Nov '11

15 Nov '11

Hi, I am using both syncrepl (for replication) and smbk5pwd (for password synchronisation between samba and ldap account) overlays. I have configured replication in the simplest way: a read-only producer that forwards updates to the provider thought updateref. If I change my password thought passwd command on a client with pam modules configured for gaining information from the provider everything works fine (userPassword, sambaLMPassword and sambaNTPassword are correctly syncronized). Instead, if I change my password thought passwd command on another client with pam modules configured for gaining information from the consumer only the userPassword is changed. I do not understand why. Has someone experimented the same problem? Thank you in advance.

3 3

Re: cn=config ACL consultation (BUG)
by Olivier 15 Nov '11

15 Nov '11

Addendum : Ldap is up and running with my configuration : [root@ldap2]# ps auxwww | grep slapd ldap 17190 0.0 1.1 426480 44384 ? Ssl Nov14 0:05 /usr/sbin/slapd -h ldap:/// -u ldap And the directory sounds to respond exactly as I wish to usual queries. However, here is a slapcat output : [root@ldap2]/usr/sbin/slapcat -F /etc/openldap/slapd.d -l ldap-conf.ldif PROXIED attributeDescription "OU" inserted. PROXIED attributeDescription "DC" inserted. olcSyncrepl: value #0: rootDN must be defined before syncrepl may be used config error processing olcDatabase={1}bdb,cn=config: rootDN must be defined before syncrepl may be used slapcat: bad configuration directory! I checked and that's true that the synchronisation doesn't work properly anymore. I had to reinserted this to have everything working well : dn: olcDatabase={1}bdb,cn=config OlcrootDN cn=Manager,dc=example,dc=fr ( no need for OlcrootPW) -- Olivier On Mon, Nov 14, 2011 at 5:15 PM, Olivier Guillard <olivier(a)guillard.nom.fr> wrote: > Hi there, > > I would like to have your feeling or advices about the following acl > strategy for ldap administration issues (cn=config and actual directory > administration). I have tested that and it sounds to work properly : > > My idea is to create two groups of people : one for those > that administrates accounts in the directory, and another for > those that are able to tune "cn=config" > > Basically, I have the following DIT : cn=config and dn: dc=example,dc=fr > > I have then created two "groupOfnames" (admin-ldap and > admin-dir) and tuned ACL so that : directory admins can modify > accounts and ldap admins can modify "slapd.d" > > I also have removed RootDN as well as RootPW both in : > olcDatabase={0}config,cn=config > as well as in > olcDatabase={1}bdb,cn=config > > so that maintenance operation are not performed as "RootDN" > anymore. > > ANY REACTIONS OR ADVICES ON THAT ? > > > HARE IS HOW I HAVE TUNED THAT : > > # Entries for the two groupofnames : > > dn: cn=admin-dir,ou=system,dc=example,dc=fr > cn: admin-dir > member: uid=guillard,ou=people,dc=example,dc=fr > member: uid=foo,ou=people,dc=example,dc=fr > member: uid=shmol,ou=people,dc=example,dc=fr > objectclass: groupOfNames > objectclass: top > > dn: cn=admin-ldap,ou=system,dc=example,dc=fr > cn: admin-ldap > member: uid=guillard,ou=staff,ou=people,dc=example,dc=fr > member: uid=pick,ou=staff,ou=people,dc=example,dc=fr > objectclass: groupOfNames > objectclass: top > > > ### ACL : > > dn: olcDatabase={0}config,cn=config > objectclass: olcDatabaseConfig > olcaccess: {0}to * by group.exact="cn=admin-ldap,ou=system,dc=example > ,dc=fr" write by * none > ... > > ### And : > > dn: olcDatabase={1}bdb,cn=config > objectclass: olcDatabaseConfig > objectclass: olcBdbConfig > ... > olcaccess: {0}to dn.base="dc=example,dc=fr" by > group.exact="cn=admin-ldap,ou=system,dc=example,dc=fr" write > by group.exact="cn=admin-dir,ou=system,dc=example,dc=fr" read > by dn.base="cn=replication,ou=system,dc=example,dc=fr" read > by * search > olcaccess: {1}to dn.one="dc=example,dc=fr" > by group.exact="cn=admin-ldap,ou=system,dc=example,dc=fr" write > by group.exact="cn=admin-dir,ou=system,dc=example,dc=fr" read > by dn.base="cn=replicator,ou=system,dc=example,dc=fr" > read by users search > by anonymous auth > > ### then : > olcaccess: {2}to dn.subtree="ou=system,dc=example,dc=fr" > by group.exact="cn=admin-ldap,ou=system,dc=example,dc=fr" write > by dn.base="cn=replicator,ou=system,dc=example,dc=fr" read by * none > > ### and : > olcaccess: {3}to dn.subtree="dc=example,dc=fr" > attrs=userPassword,shadowLastChange,loginShell > by group.exact="cn=admin-annuaire,ou=system,dc=example,dc=fr" write > by self write by dn.base="cn=replicator,ou=system,dc=example,dc=fr" > read by users auth by anonymous auth > > ### finally : > olcaccess: {4}to dn.subtree="dc=example,dc=fr" > by group.exact="cn=admin-annuaire,ou=system,dc=example,dc=fr" > write by dn.base="cn=replicator,ou=system,dc=example,dc=fr" > read by users read by anonymous read >

1 0

About set LDAP passwd expires
by Gary Jsz 14 Nov '11

14 Nov '11

Hi,All I want set my ldap user's password expires in linux server. how can to do? or the LDAP service read the linux system's /etc/login.defs file? Thanks.

4 4

biometric authentication
by Chris Lee 14 Nov '11

14 Nov '11

Dear all, I am a newbie to OpenLDAP. I would like to know whether OpenLDAP can interface with other authentication method. For example, finger print authentication. Thanks in advance for all your help. Best regards, Chris

4 4

MDB distribution
by Brett ＠Google 14 Nov '11

14 Nov '11

On Mon, Nov 14, 2011 at 3:20 PM, Howard Chu <hyc(a)symas.com> wrote: > Brett @Google wrote: > > Sorry for the "fuzzy" logic :P, but : >> >> My thoughts for no: >> >> 1. The name will affect only the name of the backend module, which is >> logically a unit under the scope of openldap (and all backends share a >> prefix), it can't exist by itself. >> > > This point is false; libmdb builds on its own and is intended for use in > more than just OpenLDAP. (I already spelled this out in my LDAPCon > presentation...) I've ported SQLite to use it, for example, and I will be > porting it to Cyrus SASL (sasldb), Heimdal, and various other miscellaneous > stuff that comes along. The API is fully documented in Doxygen, and part of > the reason I went to that trouble was to ensure that other programmers > could use it easily. Mmm. That sounds interesting. I have only just read your LDAPCon presentation, i have been away. Will the source for mmdb library itself eventually live separately somewhere, or just bundled with ldap ? Cheers Brett -- *The only thing that interferes with my learning is my education.* * Albert Einstein*

2 1

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical November 2011