openldap-technical May 2011

openldap-technical@openldap.org

91 participants
81 discussions

help with smbk5pwd-enable
by Brijesh 05 May '11

05 May '11

Hi, I have recently upgraded the openldap and now it doen't start it stops saying that unknown directive <smbk5pwd-enable> inside backend database definition It has been working fine untill the upgrade. I am using heimdal and openldap on mandriva. Following are the details of those packages. openldap-smbk5pwd- 2.4.21-3mdv2010.1 openldap-servers- 2.4.22-2.2mdv2010.2 Any help would be arrciated. Thanks Brijesh

4 7

conditional bind authentication against external ldap server
by Patrick H. 04 May '11

04 May '11

I'm trying to setup a way to have bind requests authenticated by logging into an external ldap server. But to make things more complicated, I only want to do it if a certain attribute is defined on the user's entry. The details: When a user binds, check to see if the 'seeAlso' attribute is defined for the user. If 'seeAlso' is not defined, try to authenticate as normal using the 'userPassword' stored in the local database. If it is defined, 'seeAlso' will contain the DN of the user in another ldap database (Active Directory in this case). Use the seeAlso DN to determine the URI of the ldap db to connect to (right now there is only one Active Directory server, but it would be nice to be able to use different URIs for different suffixes down the road). Attempt to bind to the remote database using the seeAlso DN. If the remote bind succeeds, the local bind also succeeds. The goal here is to allow users to opt into using their Active Directory password for authentication. No data will be pulled from the remote ldap and overlayed on the local account, it is strictly bind authentication only. From searching around, I'm not sure what to use to do this. It seems like slapd-ldap and slapo-chain might both do the remote ldap thing, and then I might use slapo-rwn to somehow do a conditional test for the seeAlso attribute and rewrite the bind DN, but I'm not sure. If anyone could tell me if my idea is even possible, and some starting points if so, it would be much appreciated.

2 2

Re:Alternate target for slapd-meta ?
by michel.gruau 04 May '11

04 May '11

Could anyone confirm my understanding below regarding URI lists ? After the first URI has become unreachable, for how long time is the second URI used. ? Does it switch back immediatly to the first URI when it become aivailable again. Thanks, Michel > Did you read slapd-meta about the uri directive: > "the directive > suffix "dc=foo,dc=com" > uri "ldap://l1.foo.com/dc=foo,dc=com"; "ldap://l2.foo.com/"; > causes l2.foo.com to be contacted whenever l1.foo.com does not > respond. In that case, the URI list is internally rearranged, > by moving unavailable URIs to the end, so that further connec- > tion attempts occur with respect to the last URI that succeeded." > > Or is this not, what you mean? Thank you very much for your reply, I read it but too quickliy, and I missed this possibility. However, my need is that the first URI remains the prefered one. As soon as it become available again, I'd like to switch back to l1.foo.com. Unfortunately, I guess that the current behaviour is to keep using l2.foo.com until it become unavailable too ? Do you confirm this behaviour ? Michel Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ? Je crée ma boîte mail www.laposte.net

1 0

Re: openldap-technical Digest, Vol 42, Issue 2
by Brijesh 04 May '11

04 May '11

On Mon, 02 May 2011 12:00:01 +0000 openldap-technical-request(a)OpenLDAP.org wrote: > Are you loading the required module? > > moduleload smbk5pwd yes i do load the module > > > Are you defining the overlay prior to trying to enable the different > drivers? > > overlay smbk5pwd > the overlay is defined the overlay before enabling the module and i am using the same config which use to work with previous package. Thanks Brijesh > > Regards, > > Hugo Monteiro.

1 0

Invalid DN Syntax in Shell Script
by Inácio Alves 02 May '11

02 May '11

Hi to all, I'm trying write a script shell to simplifies the change of pass of users. Then I write function verificaSenha(){ whoAmI=`whoami` param=`echo "ldapsearch -x -W -D \"uid=$whoAmI,ou=People,dc=ifce,dc=edu,dc=br\" -b \"dc=ifce,dc=edu,dc=br\" \"(uid=$whoAmI)\""` exec `echo "$param"` } the line param=... produces a command line that when I write directly in the term it works, however in the line exec "$param" I am solicitated my LDAP pass (like in directly term) but when I type I get ldapsearch -x -W -D "uid=inacio,ou=People,dc=ifce,dc=edu,dc=br" -b "dc=ifce,dc=edu,dc=br" "(uid=inacio)" Enter LDAP Password: ldap_bind: Invalid DN syntax (34) additional info: invalid DN what is wrong? Best regards!! -- Atenciosamente, prof. Inácio Alves IFCE/Campus Maracanaú Bacharel em Matemática (UFC)/ Técnico em Conectividade(IFCE) http://www.polluxweb.com/inacioalves/site/

4 3

overlay questions
by Maarten Vanraes 02 May '11

02 May '11

Hey, I'm trying to write an overlay (that triggers an external command after modifications), and it seems the overlay is initialized correctly, but the handler callbacks are not being executed. Do i need to set some kind of flags for it to work properly? (not even _config is being called back). so the extra configuration settings aren't being picked up either...

1 0

tree design
by E.S. Rosenberg 02 May '11

02 May '11

Hello all, I am considering redoing our LDAP tree since it's current design is fairly unfortunate. I have read several articles that said that groups should be a general (and broad) as possible, and as a result of that the LDAP tree should be as free of hierarchy as possible. (An ou for people an ou for machines etc, but no ou for Departments). The reasoning seems to be that since the design of LDAP is optimized for reads and not for writes and managing moves between branches is/was a pain. A lot of said articles seem to be from several years ago and the management tools I have seen seem to make managing more hierarchical trees possible/easy. So I was wondering what the opinions of other users are, do you maybe have suggestions of good articles that are more up to date on this subject? Thanks and best regards, Eli

2 1

Alternate target for slapd-meta ?
by michel.gruau 02 May '11

02 May '11

Hello, I implemented a slapd-meta configuration with several backend directories. I would like to know whether slapd-meta is capable to switch requests to an « alternate target » when a given target is unavailable. Reading all the documentation, I have the feeling this is not possible but I would like to be sure. Thanks in advance, Michel Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ? Je crée ma boîte mail www.laposte.net

2 2

Red Hat Enterprise 6 client issues
by Sotomayor, Vicente (ITD) 02 May '11

02 May '11

Hello, I'm testing RH 6 Openldap clients and I getting a lot of errors and poor performance while trying to login and also takes serveral minutes for a su - command to work. We are using SSL. I'm seeing plenty of "errors ldap_result() timed out" in the messages file and it also states that it can not contact either ldap server. I enabled root to temporarily ssh and that even takes up 2 minutes. Our RH 5 clients are having no issues. Does anyone know the fix? Thanks pam_ldap.conf : base dc=x,dc=x,dc=x,dc=x uri ldaps://x ldaps://x tls_cacertdir /etc/openldap/cacerts pam_password md5 sudoers_base ou=SUDOers,dc=x,dc=x,dc=x,dc=x nslcd.conf: uid nslcd gid ldap uri ldaps://x ldaps://x base dc=x,dc=x,dc=x,dc=x tls_cacertdir /etc/openldap/cacerts

3 2

EnableXPS
by Leonardo 02 May '11

02 May '11

Dear Friends, I configured XPS in slapd.conf, but when i start my OpenLDAP, it stop and show the following msg "unknown directive <EnableXPS> outside backend info and database definitions.", anybody could help me? Thanks.

3 3

← Newer
1
2
3
4
5
6
7
8
9
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical May 2011