pcache + back-sql
by Chris Card
[Let's try that again. Hotmail/Chrome managed to screw up the formatting before]
Does anyone have an example of using the pcache overlay with back-sql?
Here's the relevant section of my slapd.config:
database sql
suffix "......"
rootdn "......."
rootpw ........
dbname MySQL
dbuser .........
subtree_cond "ldap_entries.dn like CONCAT('%',?)"
insentry_stmt "INSERT INTO ldap_entries (dn,oc_map_id,parent,keyval) VALUES (?,?,?,?)"
has_ldapinfo_dn_ru no
baseobjectupper_func UPPER
autocommit yes
pcache bdb 10000 1 50 100
pcacheAttrset 0 * +
pcacheTemplate (objectClass=) 0 60
...
pcache-directory /var/tmp/cache
pcache-cachesize 100
What I'm unclear about is how to configure the private bdb database used for the cache.
When use this config, slapd starts up ok, but crashes with a SEGV when (I assume) it tries to cache a result:
(I am running slapd built from the latest code in HEAD from git)
slap_queue_csn: queing 0xb7a52efa 20110629132038.554471Z#000000#000#000000
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7a55b90 (LWP 26226)]
0x080f3844 in slap_queue_csn (op=0xb7a53378, csn=0xb7a52f60) at ctxcsn.c:199
199 LDAP_TAILQ_INSERT_TAIL( be->be_pending_csn_list,
(gdb) where
#0 0x080f3844 in slap_queue_csn (op=0xb7a53378, csn=0xb7a52f60) at ctxcsn.c:199
#1 0x080f38e0 in slap_get_csn (op=0xb7a53378, csn=0xb7a52f60, manage_ctxcsn=1) at ctxcsn.c:214
#2 0x08079f33 in slap_add_opattrs (op=0xb7a53378, text=0xb7a53214, textbuf=0xb7a53074 "", textlen=256, manage_ctxcsn=1) at add.c:609
#3 0x0814187b in bdb_add (op=0xb7a53378, rs=0xb7a53200) at add.c:107
#4 0x081a144e in merge_entry (op=0xb7a53378, e=0x9f56e4c, dup=0, query_uuid=0xa040848) at pcache.c:865
#5 0x081a4d1c in cache_entries (op=0x9fdbfc8, query_uuid=0xa040848) at pcache.c:2325
#6 0x081a5244 in pcache_op_cleanup (op=0x9fdbfc8, rs=0xb7a550e4) at pcache.c:2430
#7 0x08084697 in slap_cleanup_play (op=0x9fdbfc8, rs=0xb7a550e4) at result.c:539
#8 0x08084dd3 in send_ldap_response (op=0x9fdbfc8, rs=0xb7a550e4) at result.c:724
#9 0x0808554e in slap_send_ldap_result (op=0x9fdbfc8, rs=0xb7a550e4) at result.c:851
#10 0x0813e4a3 in backsql_search (op=0x9fdbfc8, rs=0xb7a550e4) at search.c:2493
#11 0x0807402e in fe_op_search (op=0x9fdbfc8, rs=0xb7a550e4) at search.c:402
#12 0x080f1aaa in overlay_op_walk (op=0x9fdbfc8, rs=0xb7a550e4, which=op_search, oi=0x9f3dc80, on=0x0) at backover.c:671
#13 0x080f1c5f in over_op_func (op=0x9fdbfc8, rs=0xb7a550e4, which=op_search) at backover.c:723
#14 0x080f1d0e in over_op_search (op=0x9fdbfc8, rs=0xb7a550e4) at backover.c:750
#15 0x0807397d in do_search (op=0x9fdbfc8, rs=0xb7a550e4) at search.c:247
#16 0x08070704 in connection_operation (ctx=0xb7a551d0, arg_v=0x9fdbfc8) at connection.c:1138
#17 0x08070c44 in connection_read_thread (ctx=0xb7a551d0, argv=0xd) at connection.c:1274
#18 0x081e04a5 in ldap_int_thread_pool_wrapper (xpool=0x9f11f78) at tpool.c:685
#19 0x004be5ab in start_thread () from /lib/libpthread.so.0
#20 0x003b2cfe in clone () from /lib/libc.so.6
It crashes because be->be_pending_csn_list is zero, presumably because backend_startup_one() has not been called for this backend. This leads me to believe that I need something in slapd.conf to get the private bdb database initialised, but what?
Chris
11 years, 11 months
fetching information
by Friedrich Locke
I am planing using openldap to fetch user/group information.
Below my main tree there will be ou=people and ou=group, and below
those the regular user or group information.
It happens that a program (ypserv) will fetch information from tree
binding as cn=ypserv just below my main tree.
This binding should be authenticated, so what should cn=ypserv attributes be?
What about access rules for it ?
Thanks a lot for your time and cooperation.
Best regards!
Fried.
11 years, 11 months
Connections
by Friedrich Locke
I would like to see how many connections openldap is serving on a
given momment. I am trying this:
sioux@gustav$ ldapsearch -LLL -W -D cn=oldap,dc=ufv,dc=br -b
cn=current,cn=connections,cn=monitor -H ldap://gustav.cpd.ufv.br/
objectclass=*
Enter LDAP Password:
dn: cn=Current,cn=Connections,cn=Monitor
objectClass: monitorCounterObject
cn: Current
sioux@gustav$
I cannot see the number of connections. Where is my mistake ?
Thanks a lot.
11 years, 11 months
protected entry
by Friedrich Locke
Dear list users,
i would like to have an entry in my openldap server thats needs to
have a password so that it would be able to permit clients to bind as
it providing its password.
For instance: cn=x,ou=y,dc=a,dc=b
So anyone knowing "cn=x,ou=y,dc=a,dc=b" 's password could bind as it.
Any ideia?
Thanks.
11 years, 11 months
chaining through proxy and slave
by Hugo Monteiro
Hello list,
With the following scenario
Client (A) <-----> back_ldap Proxy (B) <-----> syncrepl Slave (C)
<-----> Master (D)
and B and C use a binddn that only has full read permissions on the
database, except for a couple of attributes, on which it has full write
permissions. Also, Each of the represented nodes can only "talk" to the
nodes to which there is a represented connection, so (A) and (B) cannot
chase a configured referral to (D).
What would be the proper way to setup (B) and (C) so that (A) could push
updates for the couple of attributes into the master (D) node?
At the Slave level, i've already setup chaining and making it use (D) as
updateref, but then any push on (B) would not propagate. I also noticed
that in although i used mode=self, in the chaining, i had to configure a
binddn which had full write permissions. Wouldn't it be sufficient to
have a full read enabled binddn or even no binddn at all since the bind
would then be made using the clients credentials?
Thanks in advance,
Hugo Monteiro.
--
fct.unl.pt:~# cat .signature
Hugo Monteiro
Email : hugo.monteiro(a)fct.unl.pt
Telefone : +351 212948300 Ext.15307
Web : http://hmonteiro.net
Divisão de Informática
Faculdade de Ciências e Tecnologia da
Universidade Nova de Lisboa
Quinta da Torre 2829-516 Caparica Portugal
Telefone: +351 212948596 Fax: +351 212948548
www.fct.unl.pt apoio(a)fct.unl.pt
fct.unl.pt:~# _
11 years, 11 months
kerberos ldap/host.my.domain
by Friedrich Locke
Hi folks,
i have just installed openldap and i am facing a situation i would
like to share with you.
In OpenBSD (the OS i am using) i have the keytab file inside
/etc/kerberosV. Its access mode is 600, its ownership is root:wheel.
But OpenBSD specifies a user and group the slapd daemon should run as;
the user is "u" and group "g".
In order to get SASL/GSSAPI working i need to add to the keytab the
principal ldap/host.my.domain. I did it; now the keytab has the
principals host/x.y.z and ldap/x.y.z
But since slapd runs as another user it is prevented from accessing
the keytab file.
So i thought the following possible solutions:
0) Run slapd as root
1) change the permission of the keytab
Any of those options above makes security less secure.
I known there should be some more approaches, but i cannot think it right now.
How did you handle that?
Thanks a lot for your time and cooperation.
Best regards.
11 years, 11 months
n-way syncrepl issues
by Marcel van Dorp
Hi list,
I tried to read all information about the subject, both in the mail
archives and on the website (admin guide and faq-o-matic), but somehow
things are not working as expected.
I have 3 servers, Debian 6 with the distro-version of openldap
(2.4.23-7). I use phpldapadmin (PLA for short), version 1.2.0.5. I also
use ldapvi and the standard ldap-tools (ldapadd/ldapmodify etc). I use
the slapd.d/ config backend. My userdata DIT is empty at the moment,
until the issues are resolved.
*) When using n-way multimaster, I understand that the whole DIT is
identical on all servers (assuming full read access for the replication
DN, which is the case). Because of this, I used a generic name for the
certificates, while on each server the content of the files are
server-specific. This works as expected. The other difference between
the servers is the slapd startup command line: in it is each server's
own FQDN. On debian, this is specified in /etc/default/slapd. On server1
this file has:
SLAPD_SERVICES=ldap://127.0.0.1 ldaps://server1.domain.tld ldapi:///"
On server2 the URI changes in ldaps://server2.domain.tld and on server3
it changes likewise. This is al per the admin guide.
For some reason, replication is not working as expected. Some updates go
through, others are ignored and stay local on a server. The servers are
on different subnets with a firewall in-between, but I can access each
server from the other servers using eg 'ldapsearch'.
Question: With n-way multimaster, I understand the DIT should be
identical on all servers. Can I just do tar -czf slapd.conf.tgz
/etc/ldap/slapd.d on one server, and copy and untar this on the other
servers (with slapd stopped) and start slapd? My (anonymized) slapd.d is
at the end of this message (I deleted the (default) schema definitions
for readability).
Question: Is the above-mentioned method a valid way to add/restore an
extra n-way multimaster node in the setup? If so, Do I do the export
AFTER adding the extra node to the config, or BEFORE?
Question: I also want to replicate the dc=domain,dc=tld DIT. Can I use
the same rid values in de replication statements as for the cn=config
DIT, or do they need to be unique within the total config?
Question: I do not like to use the cn=admin,cn=config identity as the
replication ID. Yet I do not have content in the dc=domain,dc=tld DIT,
and thus no way to specifiy another identity. Can this be solved?
Once the DIT has the identity, I assume I can change the replication ID
(as long as ACLs are not blocking things).
Can anyone answer my questions, or point me in the right direction? I
tried numerous things with all kind of different results, but I feel I
miss some fundamental insight.
Thanks for any help!
Marcel
--------------------------------------------------------------------
Anonymized slapd.d config of server1 (exported using PLA)
--------------------------------------------------------------------
# Server: Server1 (ldap://localhost)
# Search Scope: sub
# Search Filter: (objectClass=*)
# Total Entries: 13
#
# Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net) on
June 29, 2011 8:19 am
# Version: 1.2.0.5
version: 1
# Entry 1: cn=config
dn: cn=config
cn: config
contextcsn: 20110621205759.540662Z#000000#000#000000
createtimestamp: 20110429201711Z
creatorsname: cn=config
entrycsn: 20110621205759.540662Z#000000#000#000000
entrydn: cn=config
entryuuid: 690a54f4-06e9-1030-9aec-e9c45301ace2
modifiersname: cn=admin,cn=config
modifytimestamp: 20110621205759Z
objectclass: olcGlobal
olcargsfile: /var/run/slapd/slapd.args
olcloglevel: sync
olcloglevel: stats
olcloglevel: args
olcpidfile: /var/run/slapd/slapd.pid
olcserverid: 11 ldaps://server1.domain.tld
olcserverid: 12 ldaps://server2.domain.tld
olcserverid: 13 ldaps://server3.domain.tld
olctlscacertificatefile: /etc/ssl/certs/cacert.org.pem
olctlscertificatefile: /etc/ssl/certs/thishost.crt
olctlscertificatekeyfile: /etc/ssl/private/thishost.key
olctlsverifyclient: NEVER
olctoolthreads: 1
structuralobjectclass: olcGlobal
subschemasubentry: cn=Subschema
# Entry 2: cn=module{0},cn=config
dn: cn=module{0},cn=config
cn: module{0}
createtimestamp: 20110429201711Z
creatorsname: cn=admin,cn=config
entrycsn: 20110429201711.660046Z#000000#000#000000
entrydn: cn=module{0},cn=config
entryuuid: 690b3608-06e9-1030-9af4-e9c45301ace2
modifiersname: cn=admin,cn=config
modifytimestamp: 20110429201711Z
objectclass: olcModuleList
olcmoduleload: {0}back_hdb
olcmoduleload: {1}syncprov.la
olcmodulepath: /usr/lib/ldap
structuralobjectclass: olcModuleList
subschemasubentry: cn=Subschema
# Entry 3: cn=schema,cn=config
### DELETED default schema definitions for readability
# Entry 4: cn={0}core,cn=schema,cn=config
### DELETED default schema definitions for readability
# Entry 5: cn={1}cosine,cn=schema,cn=config
### DELETED default schema definitions for readability
# Entry 6: cn={2}nis,cn=schema,cn=config
### DELETED default schema definitions for readability
# Entry 7: cn={3}inetorgperson,cn=schema,cn=config
### DELETED default schema definitions for readability
# Entry 8: olcBackend={0}hdb,cn=config
dn: olcBackend={0}hdb,cn=config
createtimestamp: 20110429201711Z
creatorsname: cn=admin,cn=config
entrycsn: 20110429201711.707740Z#000000#000#000000
entrydn: olcBackend={0}hdb,cn=config
entryuuid: 69127d0a-06e9-1030-9af5-e9c45301ace2
modifiersname: cn=admin,cn=config
modifytimestamp: 20110429201711Z
objectclass: olcBackendConfig
olcbackend: {0}hdb
structuralobjectclass: olcBackendConfig
subschemasubentry: cn=Subschema
# Entry 9: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={-1}frontend,cn=config
createtimestamp: 20110429201711Z
creatorsname: cn=config
entrycsn: 20110429201711.654507Z#000000#000#000000
entrydn: olcDatabase={-1}frontend,cn=config
entryuuid: 690a5da0-06e9-1030-9aed-e9c45301ace2
modifiersname: cn=config
modifytimestamp: 20110429201711Z
objectclass: olcDatabaseConfig
objectclass: olcFrontendConfig
olcaccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth manage by * break
olcaccess: {1}to dn.exact="" by * read
olcaccess: {2}to dn.base="cn=Subschema" by * read
olcdatabase: {-1}frontend
olcsizelimit: 500
structuralobjectclass: olcDatabaseConfig
subschemasubentry: cn=Subschema
# Entry 10: olcDatabase={0}config,cn=config
dn: olcDatabase={0}config,cn=config
createtimestamp: 20110429201711Z
creatorsname: cn=config
entrycsn: 20110619065612.945749Z#000000#000#000000
entrydn: olcDatabase={0}config,cn=config
entryuuid: 690a693a-06e9-1030-9aee-e9c45301ace2
modifiersname: cn=admin,cn=config
modifytimestamp: 20110619065612Z
objectclass: olcDatabaseConfig
olcaccess: {0}to * by dn.exact=cn=admin,cn=config read by
dn.exact=gidNumber=0+uidNumber=0,cn=pe
ercred,cn=external,cn=auth manage by * break
olcdatabase: {0}config
olcmirrormode: TRUE
olcrootdn: cn=admin,cn=config
olcrootpw: {SSHA}deletedforsecurityreasons
olcsyncrepl: {0}rid=011 provider=ldaps://server1.domain.tld
binddn="cn=admin,cn=config" credentials="mysecretpassword"
bindmethod=simple starttls=no searchbase="cn=config"
type=refreshAndPersist retry="5 5 300 +" timeout=0 network-timeout=0
filter="(objectclass=*)" attrs="*,+" scope=sub
olcsyncrepl: {1}rid=012 provider=ldaps://server2.domain.tld
binddn="cn=admin,cn=config" credentials="mysecretpassword"
bindmethod=simple starttls=no searchbase="cn=config"
type=refreshAndPersist retry="5 5 300 +" timeout=0 network-timeout=0
filter="(objectclass=*)" attrs="*,+" scope=sub
olcsyncrepl: {2}rid=013 provider=ldaps://server3.domain.tld
binddn="cn=admin,cn=config" credentials="mysecretpassword"
bindmethod=simple starttls=no searchbase="cn=config"
type=refreshAndPersist retry="5 5 300 +" timeout=0 network-timeout=0
filter="(objectclass=*)" attrs="*,+" scope=sub
structuralobjectclass: olcDatabaseConfig
subschemasubentry: cn=Subschema
# Entry 11: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config
dn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config
createtimestamp: 20110512150606Z
creatorsname: cn=admin,cn=config
entrycsn: 20110522201415.682681Z#000000#000#000000
entrydn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config
entryuuid: 1ae3191c-10f5-1030-9102-e14c7638455a
modifiersname: cn=admin,cn=config
modifytimestamp: 20110522201415Z
objectclass: olcOverlayConfig
objectclass: olcSyncProvConfig
objectclass: top
olcoverlay: {0}syncprov
olcspcheckpoint: 100 10
structuralobjectclass: olcSyncProvConfig
subschemasubentry: cn=Subschema
# Entry 12: olcDatabase={1}hdb,cn=config
dn: olcDatabase={1}hdb,cn=config
createtimestamp: 20110512144416Z
creatorsname: cn=admin,cn=config
entrycsn: 20110619123128.846982Z#000000#000#000000
entrydn: olcDatabase={1}hdb,cn=config
entryuuid: 0e60d5a6-10f2-1030-9d9b-35ce2d01c34c
modifiersname: cn=admin,cn=config
modifytimestamp: 20110619123128Z
objectclass: olcDatabaseConfig
objectclass: olcHdbConfig
olcaccess: {0}to attrs=userPassword,shadowLastChange by self write by anonym
ous auth by dn="cn=admin,cn=config" write by * none
olcaccess: {1}to dn.base="" by * read
olcaccess: {2}to * by self write by dn="cn=admin,cn=config" write by * read
olcdatabase: {1}hdb
olcdbcheckpoint: 512 30
olcdbconfig: {0}set_cachesize 0 2097152 0
olcdbconfig: {1}set_lk_max_objects 1500
olcdbconfig: {2}set_lk_max_locks 1500
olcdbconfig: {3}set_lk_max_lockers 1500
olcdbdirectory: /var/lib/ldap/
olcdbindex: objectClass eq
olcdbindex: entryCSN eq
olcdbindex: entryUUID eq
olclastmod: TRUE
olcmirrormode: TRUE
olcrootdn: cn=admin,cn=config
olcrootpw: {SSHA}s1C7GBjdeletedforsecurityreasons
olcsuffix: dc=domain,dc=tld
olcsyncrepl: {0}rid=011 provider=ldaps://server1.domain.tld
binddn="cn=admin,cn=config" credentials="mysecretpassword"
bindmethod=simple starttls=no searchbase="dc=domain,dc=tld"
type=refreshAndPersist retry="5 5 300 +" timeout=0 network-timeout=0
filter="(objectclass=*)" attrs="*,+" scope=sub
olcsyncrepl: {1}rid=012 provider=ldaps://server2.domain.tld
binddn="cn=admin,cn=config" credentials="mysecretpassword"
bindmethod=simple starttls=no searchbase="dc=domain,dc=tld"
type=refreshAndPersist retry="5 5 300 +" timeout=0 network-timeout=0
filter="(objectclass=*)" attrs="*,+" scope=sub
olcsyncrepl: {2}rid=013 provider=ldaps://server3.domain.tld
binddn="cn=admin,cn=config" credentials="mysecretpassword"
bindmethod=simple starttls=no searchbase="dc=domain,dc=tld"
type=refreshAndPersist retry="5 5 300 +" timeout=0 network-timeout=0
filter="(objectclass=*)" attrs="*,+" scope=sub
structuralobjectclass: olcHdbConfig
subschemasubentry: cn=Subschema
# Entry 13: olcOverlay={0}syncprov,olcDatabase={1}hdb,cn=config
dn: olcOverlay={0}syncprov,olcDatabase={1}hdb,cn=config
createtimestamp: 20110522163658Z
creatorsname: cn=admin,cn=config
entrycsn: 20110522201502.521704Z#000000#000#000000
entrydn: olcOverlay={0}syncprov,olcDatabase={1}hdb,cn=config
entryuuid: 74b70896-18dd-1030-94f4-2183161cb5d6
modifiersname: cn=admin,cn=config
modifytimestamp: 20110522201502Z
objectclass: olcOverlayConfig
objectclass: olcSyncProvConfig
objectclass: top
olcoverlay: {0}syncprov
olcspcheckpoint: 100 10
structuralobjectclass: olcSyncProvConfig
subschemasubentry: cn=Subschema
11 years, 11 months
Sendmail + LDAP
by Vasily Yakovlev
Hi,
I experince some problems with setting up Sendmail with the LDAP database for virtual mail accounts.
I believe, that the reason of my problem is in configuring dovecot-deliver, but nobody answers me in the dovecot-mailing list, so i've decided to post
a message here
What i have:
- FreeBSD 8.2-RELEASE
- sendmail (Version 8.14.4 with LDAP support installed from ports)
- Dovecot LDA + dovecot (as pop3/imap) - 1.2.16
- openldap - 2.4.23
1. Following http://wiki.dovecot.org/LDA/Sendmail i've set up deliver as LDA. Everything worked fine.
2. Following http://wiki.dovecot.org/HowTo/DovecotOpenLdap i've set up Dovecot to work with tha ldap. Now i can authorize through the client or web interface and get to my maildir.
3. Now, i want my sendmail to accept mail for the account in LDAP database.
sendmail.mc:
++++++++++++++++++++++
FEATURE(`local_procmail', `/usr/local/libexec/dovecot/deliver',`/usr/local/libexec/dovecot/deliver -d $u')
MODIFY_MAILER_FLAGS(`LOCAL', `-f')
......................................
define(`confLDAP_DEFAULT_SPEC', `-h "localhost" -b "dc=mydomain,dc=ru" -d "cn=dovecot,ou=accounts,dc=mydomain,dc=ru" -MLDAP_AUTH_SIMPLE -P /etc/mail/ldap_pass')dnl
LDAPROUTE_DOMAIN(`mydomain.ru')dnl
FEATURE(`ldap_routing', `null -T<TMPF>', `ldap -1 -T<TMPF> -v mail -k (&(objectclass=posixaccount)(mail=%0))', `passthru')dnl
......................................
MAILER(procmail)
++++++++++++++++++++++
After re-making the sendmail:
++++++++++++++++++++++
[root@test2 /etc/mail]# sendmail -bv -d60.1 test_user(a)mydomain.ru
map_lookup(dequote, test) => NOT FOUND (0)
map_lookup(host, mydomain.ru) => mydomain.ru. (0)
map_lookup(dequote, test_user) => NOT FOUND (0)
map_lookup(ldapmra, test_user(a)mydomain.ru) => test_user(a)mydomain.ru (0)
map_lookup(ldapmh, test_user(a)mydomain.ru) => NOT FOUND (68)
map_lookup(host, mydomain.ru) => mydomain.ru. (0)
map_lookup(dequote, test_user) => NOT FOUND (0)
map_lookup(virtuser, test_user(a)mydomain.ru) => NOT FOUND (0)
map_lookup(virtuser, @mydomain.ru) => NOT FOUND (0)
test_user(a)mydomain.ru... User unknown
++++++++++++++++++++++
It's the problem of the local delivery, i believe. Why? Because after sendmail getting an email it passes it to the LDA, which must check the LDAP (not the passwd!) database for the user, to which this email is send to.
Are there some possibilities to solve this problem?
Or, maybe there might be a problem in cofiguring the OpenLDAP?
I appreciate any help...
-----------------------
Best regards, Vasily Yakovlev
11 years, 11 months
SASL working but kerberos DOMAIN is not set
by Friedrich Locke
I have setted openldap+sasl+kerberos.
It is working but the keberos realm is not seted in the bind dn, why?
Here is my session:
sioux@gustav$ ldapsearch -Y GSSAPI -b "" -s base -LLL supportedSASLMechanisms
SASL/GSSAPI authentication started
SASL username: sioux(a)UFV.BR
SASL SSF: 56
SASL data security layer installed.
dn:
supportedSASLMechanisms: OTP
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
sioux@gustav$
Here is what i got from slapd err output :
...
...
...
do_bind: dn () SASL mech GSSAPI
slap_sasl_getdn: u:id converted to uid=sioux,cn=GSSAPI,cn=auth
>>> dnNormalize: <uid=sioux,cn=GSSAPI,cn=auth>
<<< dnNormalize: <uid=sioux,cn=gssapi,cn=auth>
==>slap_sasl2dn: converting SASL name uid=sioux,cn=gssapi,cn=auth to a DN
<==slap_sasl2dn: Converted SASL name to <nothing>
SASL Authorize [conn=1001]: proxy authorization allowed authzDN=""
send_ldap_sasl: err=0 len=-1
do_bind: SASL/GSSAPI bind: dn="uid=sioux,cn=gssapi,cn=auth" sasl_ssf=56
send_ldap_response: msgid=3 tag=97 err=0
ber_flush2: 14 bytes to sd 13
...
...
...
Any ideia about what is going on ?
11 years, 11 months
Re: access
by Friedrich Locke
Sorry folks,
please forgive me, i forgot to let you know i am using kerberos
(SASL); so i bind via sasl mechanism not as the dn owned by me.
Thanks once more for your help.
On Tue, Jun 28, 2011 at 2:05 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> --On Tuesday, June 28, 2011 10:05 AM -0300 Friedrich Locke
> <friedrich.locke(a)gmail.com> wrote:
>
>> Dear list members,
>>
>> i would like to use openldap for unix users and group of my local
>> network. I started studying openldap access mechanism yesterday; and i
>> am a little confused.
>>
>> I am writing in order to get some help for a single scenario i would
>> like to share with you.
>>
>> My users will be below ou=users,dc=ufv,dc=br.
>>
>> I would like to write an access rule for the following.
>>
>> User X had complete access to his/her entry:
>>
>> cn=X,dc=ufv,dc=br
>
> by self write
> by users read
>
> --Quanah
>
>
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
11 years, 11 months