Using memberOf overlay with groups that contain uids, not DNs
by Oliver Beattie
Hi,
I realise the documentation for slapo-memberof indicate that this isn't
possible, but I thought it worthwhile asking here anyway — is it possible to
use the memberOf overlay with groups that use memberUid as their membership
attributes, rather than user DNs?
We have a large existing LDAP database that has thousands of groups like
this, and would very much like to use slapo-memberof.
Any pointers (positive or negative) much appreciated — just so I know for
definite.
—Oliver
10 years, 8 months
adding a second node
by Friedrich Locke
Hi folks,
i am begining to study ldap and have a doubt.
In my tree i have a node a=b inserted below c=d,e=f, i.e., a=b,c=d,e=f exists.
What happens if i try to insert a "new" a=b below c=d,e=f ?
Thanks in advance.
Gustavo.
10 years, 8 months
Re: Antwort: Re: RHEL 6 OpenLDAP 2.4.19-15.el6 init problem
by Quanah Gibson-Mount
--On Friday, April 01, 2011 6:05 AM +0100 Markus Moj <MMoj(a)timocom.com>
wrote:
>
> Hi,
>
> due to update and security policies in my company we are using the stable
> version of the delivered build in openLDAP from Red Hat.
Hi Markus,
While I understand this is often the case with companies, this policy is
short sighted. If you want to have a stable, secure, and functional LDAP
server, then you need to be able to build OpenLDAP from source.
If you insist on using RedHat's outdated and flawed packages, then you need
to contact RedHat support to fix any bugs you find with it, as the advice
from upstream will always be for you to build and install the current
OpenLDAP version to verify whether or not any bugs you find actually exist
in a current release. I would suggest you read over the change logs since
OpenLDAP 2.4.19 was released to get an idea of the numerous issues that
have been fixed since that release went out.
--Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
10 years, 8 months
Dealing with BDB Crash
by ldap@mm.st
A while ago I posted that we were having what we thought were random bdb
backend crashes with the following in our log:
bdb(o=example.com): PANIC: fatal region error detected; run recovery.
This was on a on our RH5 openldap servers (2.3.43) that we were
rebuilding:
It appears that the crashes were caused by a vulnerability scanner that
was hitting the server (still testing), even though it was suppose to be
safe. We'll have to investigate what is causing it, maybe we will need
an acl to stop whatever the scanner is doing. Once we stopped the
automated scan, the servers seem to be running as expected.
But, this brought up another issue. When the bdb backend failed, the
slapd process continued run and listen on the ldap ports and clients
still tried to connect to the failed server for authentication. The
server accepted and established the connection with the client. Of
course the client could not authenticate since the backend db was down.
The client will not fail over to the other server that is listed in it's
ldap.conf file since it thinks it has a valid connection. If the slap
process is not running then the fail over works fine since no ports are
there for the client to connect to.
I'm thinking that bdb failures will be rare once we solve the scanner
issue, but on a network that relies heavily on ldap, a failed bdb
backend with a running slapd would cause significant issues.
Just trying to restart the slapd service doesn't fix the issue, a manual
recovery is required (slapd_db_recover). I was curious if anyone has
put something in place to deal with this potential issue? Maybe run
slapd_db_status via cron and if it errors due a bdb corruption, just
stop slapd and let the admin know. At least the clients would be able
to failover to the other ldap servers. I guess an automated recovery is
possible via a script, but I'm not sure if that's a good idea. Maybe
dealing with this type of failure is not really required, I was hoping
that some of you that have been do this for a while would have some
insight.
10 years, 8 months
issue with slapadd
by Judith Flo Gaya
Hello,
I'm using openldap-server 2.4.19-15 in a Red Hat 6 box (x86_64), rpm
installation.
This is the very first time I use ldap and I'm having some issues with
the configuration.
I read that the slapd.conf file should not be use, instead the slapd.d
directory is the new system that is meant to be.
As I don't know how this exactly works, I've been reading and folowing
the tutorial in the openldap page. Specifically I read the
Administration guide and I copy and adapt the config.ldif file to suit
my needs.
After a while I manage to run the command:
slapadd -F /etc/openldap/slapd.d -n 0 -l config.ldif
with no problems. I thought that once this was done the slapd should
start smoothly, but instead I'm having an slaptest error saying that my
configuration FILE is wrong. As the slapd.conf doesn't exists, I don't
know where this error comes from. I tried
#slaptest -v -d1 -F ../slapd.d/
[......]
ldif_back_add: "olcDatabase={-1}frontend,cn=config"
oc_check_required entry (olcDatabase={-1}frontend,cn=config),
objectClass "olcDatabaseConfig"
oc_check_required entry (olcDatabase={-1}frontend,cn=config),
objectClass "olcFrontendConfig"
oc_check_allowed type "objectClass"
oc_check_allowed type "olcDatabase"
oc_check_allowed type "olcAddContentAcl"
oc_check_allowed type "olcLastMod"
oc_check_allowed type "olcMaxDerefDepth"
oc_check_allowed type "olcReadOnly"
oc_check_allowed type "olcMonitoring"
oc_check_allowed type "structuralObjectClass"
oc_check_allowed type "entryUUID"
oc_check_allowed type "creatorsName"
oc_check_allowed type "createTimestamp"
oc_check_allowed type "entryCSN"
oc_check_allowed type "modifiersName"
oc_check_allowed type "modifyTimestamp"
ldif_back_add: err: 68 text:
send_ldap_result: conn=-1 op=0 p=0
slaptest: bad configuration directory!
Since the directory structure was built by the slapadd command, where is
the problem?
I'm sure I'm doing something wrong but I can't find it ;(
Permissions are ok (at the beginning I had issues with the include
core.ldif part of my config.ldif, I ended pasting the contents in the
config.ldif)
Thanks in advance for your help, hope you can shed some light on this.
j
--
Judith Flo Gaya
Systems Administrator IMPPC
e-mail: jflo(a)imppc.org
Tel (+34) 93 554-3079
Fax (+34) 93 465-1472
Institut de Medicina Predictiva i Personalitzada del Càncer
Crta Can Ruti, Camí de les Escoles s/n
08916 Badalona, Barcelona,
Spain
http://www.imppc.org
10 years, 8 months
importing ldap database for a BDC
by deconya
Hi list
Im preparing a BDC server using samba with ldap and I start to import the
database. At first I commented and error with the suffix but not was the
last of my problems, Im importing and appears:
<= str2entry: str2ad(sambaLogonTime): attribute type undefined
slapadd: could not parse entry (line=81)
_ 0.09% eta 01m elapsed none spd 64.8
k/s
Closing DB...
What Im making bad?
First I copied all inside /etc/ldap/schema/ to the BDC, and I prepared with
slapcat a bckup from PDC. I installed samba and copied smb.conf modifying
the role. When I go to execute the slapadd -l backup.ldif appears the error.
Any idea?
Thanks And Best Regards
10 years, 8 months
Regexp in rootdn and set-resolving of monitor attr
by Kilian Röhner
Hey,
i have two questions:
1. Is it possible to specify a regexp as rootdn?
2. In an access-rule, i have a set like:
by set="(user + ([cn=Current,cn=Time,cn=Monitor]/monitorTimestamp)) &
(this/modifiersName + this/createTimestamp)" write
But it seems, that the Monitor-Part isn't resolved correctly (returns
empty and thus empty for the whole set).
What am i doing wrong here?
Thanks!
Regards,
Kilian
10 years, 8 months
overlay ppolicy not found
by sarath chandra
Hi,
I'm getting this error:
------------------------------------------Mar 31 18:03:50 if-sr-000033
slapd[2170]: @(#) $OpenLDAP: slapd 2.4.23 (Feb 21 2011 03:15:19) $
root@IF-SR-000033:/root/ldap/openldap-2.4.23/servers/slapd
Mar 31 18:03:50 if-sr-000033 slapd[2170]: overlay "ppolicy" not found
Mar 31 18:03:50 if-sr-000033 slapd[2170]: slapd stopped.
Mar 31 18:03:50 if-sr-000033 slapd[2170]: connections_destroy: nothing to
destroy.
------------------------------------------
The slapd.conf file has these entries also:
modulepath /usr/local/lib
moduleload /usr/local/lib/ppolicy.la
overlay ppolicy
ppolicy_default "cn=Standard Policy,ou=Policies,dc=uaeexchange,dc=com
ppolicy_use_lockout
------------------------------------------
The o/s is CentOS release 5.
Can anybody suggest a solution for this?
TIA
Sarath
10 years, 8 months
