Re: cannot access entries
by ian logan
Why not adjust your logLevel to include ACL processing, its usually very informative.
On Jul 4, 2011, at 1:23 PM, Friedrich Locke wrote:
> This is for learning purposes, the password will not be that one on a
> production system.
> ypldap access is just before any other more restrictive.
>
> My questions still remains: how may i have a listing of entry directly
> below (one level only) a given base ?
> Searching with a filter is interest too. But i am being prevented.
> Does anybody here know how it could be done given my access rules on
> the prior email ?
>
> Thanks once more.
>
>
> On Mon, Jul 4, 2011 at 4:01 PM, Chris Jacobs <Chris.Jacobs(a)apollogrp.edu> wrote:
>> The ypldap access should be before the one that limits more - the more restrictive one will match first.
>>
>> If that account is intended as you main 'root'-ish account, it should probably be granted access to all right off the bat.
>>
>> Also: change your ldap password now. (I've done this; sent a password to the mailing list - dumb).
>>
>> - chris
>>
>> Chris Jacobs, Systems Administrator, Technology Services Group
>> Apollo Group | Apollo Marketing & Product Development | Aptimus, Inc.
>> 2001 6th Ave | Ste 3200 | Seattle, WA 98121
>> phone: 206.839-8245 | cell: 206.601.3256 | Fax: 208.441.9661
>> email: chris.jacobs(a)apollogrp.edu
>>
>> ----- Original Message -----
>> From: openldap-technical-bounces(a)OpenLDAP.org <openldap-technical-bounces(a)OpenLDAP.org>
>> To: openldap-technical(a)openldap.org <openldap-technical(a)openldap.org>
>> Sent: Mon Jul 04 11:19:45 2011
>> Subject: cannot access entries
>>
>> Hi list members,
>>
>> i am trying to configure accesses to my ldap server, but i am doing
>> some wrong i am not aware about. The access list is below:
>>
>> access to dn.one="ou=appsrv,dc=ufv,dc=br" attrs=userpassword
>> by self read
>> by anonymous auth
>> by * none
>>
>> access to dn.one="ou=appsrv,dc=ufv,dc=br"
>> by self read
>> by * none
>>
>> access to dn.one="ou=people,dc=ufv,dc=br" attrs=userpassword
>> by self read
>> by anonymous auth
>> by * none
>>
>> access to dn.one="ou=people,dc=ufv,dc=br"
>> by self read
>> by dn.exact="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read
>> by * none
>>
>> access to dn.one="ou=group,dc=ufv,dc=br"
>> by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read
>> by * none
>>
>>
>> =======================================
>>
>> The command i am executing and its output is below
>>
>> sioux@gustav$ ldapsearch -x -w ypldapA4esuopdV -D
>> cn=ypldap,ou=appsrv,dc=ufv,dc=br -b ou=people,dc=ufv,dc=br -s one
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <ou=people,dc=ufv,dc=br> with scope oneLevel
>> # filter: (objectclass=*)
>> # requesting: ALL
>> #
>>
>> # search result
>> search: 2
>> result: 32 No such object
>>
>> # numResponses: 1
>> sioux@gustav$
>>
>> Why am i not getting a list of entries below ou=people,dc=ufv,dc=br ?
>>
>> Thanks in advance.
>>
>>
>>
>> This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
>>
>>
>>
>
10 years, 12 months
Status of support for draft-wahl-ldap-session
by Michael Ströder
HI!
It seems there is support for draft-wahl-ldap-session in OpenLDAP's source since
2007 but it seems not to be enabled in a default build. Is it sufficient to
compile with -DSLAP_CONTROL_X_SESSION_TRACKING or do I also have to use
-DLDAP_DEVEL (because of ifdef in ldap.h). The latter does not work with
2.4.26...
Should I file an ITS for it?
Ciao, Michael.
10 years, 12 months
cannot access entries
by Friedrich Locke
Hi list members,
i am trying to configure accesses to my ldap server, but i am doing
some wrong i am not aware about. The access list is below:
access to dn.one="ou=appsrv,dc=ufv,dc=br" attrs=userpassword
by self read
by anonymous auth
by * none
access to dn.one="ou=appsrv,dc=ufv,dc=br"
by self read
by * none
access to dn.one="ou=people,dc=ufv,dc=br" attrs=userpassword
by self read
by anonymous auth
by * none
access to dn.one="ou=people,dc=ufv,dc=br"
by self read
by dn.exact="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read
by * none
access to dn.one="ou=group,dc=ufv,dc=br"
by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read
by * none
=======================================
The command i am executing and its output is below
sioux@gustav$ ldapsearch -x -w ypldapA4esuopdV -D
cn=ypldap,ou=appsrv,dc=ufv,dc=br -b ou=people,dc=ufv,dc=br -s one
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=ufv,dc=br> with scope oneLevel
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
sioux@gustav$
Why am i not getting a list of entries below ou=people,dc=ufv,dc=br ?
Thanks in advance.
10 years, 12 months
cn=config and plugins
by Hanns Mattes
Hi,
I'm interested in using the slapi-dnsnotify-plugin to notify slaves of
changes in the pdns-server.
There's an example configuration using slapd.conf[1], but I'd like to
know how a plugin is configured using cn=config.
Distribution ist Opensuse 11.3
zypper info shows:
Name: openldap2
Version: 2.4.21-10.3.1
Arch: x86_64
(As far as I understand the *.spec-file, plugins aren't enabled in this
built, so I'll have to compile my own version. Or am I wrong?)
Any advice?
Please let me know, if any further information is required (and please
be patient, as my writing and understanding in english is limited :-))
TIA
Hanns Mattes
[1] http://thewalter.net/stef/software/slapi-dnsnotify/configuration.html
10 years, 12 months
how to configure use of tls w/ rwm-rewritemap
by Ron Peterson
Hi,
I have a rewrite map configured like:
database ldap
suffix "ou=myou"
uri "ldap://my.backend/"
tls start tls_cacertdir=/my/ca/cert/dir
rwm-rewriteMap ldap uid2adminDN "ldap://my.backend/ou=yada,dc=yada?dn?sub" binddn="uid=someone,..." credentials="etc"
My back end is configured to require tls, i.e.
security ssf=128 update_ssf=128 simple_bind=128
If I remove that requirement, everything works. When I add it, my back
end ldap server logs:
Jul 1 09:24:28 mid slapd[13011]: conn=1006 op=0 BIND dn="uid=someone,..." method=128
Jul 1 09:24:28 mid slapd[13011]: conn=1006 op=0 RESULT tag=97 err=13 text=confidentiality required
How do I configure rwm-rewritemap to use tls?
-Ron-
10 years, 12 months
stange log
by Friedrich Locke
I am seeing the log messages below on my openldap installation:
@(#) $OpenLDAP: slapd 2.4.23 (Jun 28 2011 17:55:44) $
@gustav.cpd.ufv.br:/usr/ports/pobj/openldap-2.4.23/build-amd64/servers/slapd
Backend ACL: access to dn.subtree="cn=monitor"
by dn.base="cn=oldap,dc=ufv,dc=br" read
by * none
Backend ACL: access to *
by * none
config_back_db_open: line 0: warning: cannot assess the validity of
the ACL scope within backend naming context
slapd starting
What does it mean?
How may i avoid these messages ?
What do i need to fix ?
Thanks once more.
10 years, 12 months
schema
by Friedrich Locke
Hi!
Does anybody know where i could download the schema for
simpleSecurityObject class ?
Thanks in advance.
10 years, 12 months
Re: schema
by ian logan
It comes with OpenLDAP, its in the Cosine schema file.
On Jul 1, 2011, at 8:18 AM, Friedrich Locke wrote:
> Hi!
>
> Does anybody know where i could download the schema for
> simpleSecurityObject class ?
>
> Thanks in advance.
>
10 years, 12 months
Re: simple binds
by Friedrich Locke
Quanah,
thank you for your support and patience too; now i got it working as i wished.
If you come to brasil, let me know and i'll pay you some beers.
Fried.
On Thu, Jun 30, 2011 at 7:38 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> --On Thursday, June 30, 2011 7:22 PM -0300 Friedrich Locke
> <friedrich.locke(a)gmail.com> wrote:
>
>> Is it possible to perform simple binds but looking up the entry's
>> password in a kerberos server?
>
> Please spend some time reading the OpenLDAP documentation. Your question
> here is clearly answered in the OpenLDAP Admin guide, section 14.5:
>
> <http://www.openldap.org/doc/admin24/security.html>
>
> --Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
10 years, 12 months