openldap-technical August 2011

openldap-technical@openldap.org

87 participants
96 discussions

can't get memberof filter working
by Gerardo Herzig 12 Aug '11

12 Aug '11

Hi all. Im having hard time triyng to figure out what is wrong with this ldap query: Im triyng to filter a specific user inside a specific group. Like this /usr/bin/ldapsearch -x -D ".." -w.. -b "o=Work" "(&(uniquemember=uid=gherzig,ou=People,o=Work) (memberof=cn=MailUsers,ou=Groups,o=Work))" It gets no results, but if i remove the memberof part, it works good. "(&(uniquemember=uid=gherzig,ou=People,o=Work))" as a filter gives me all the entries that users is in. What is wrong? BTW specifiyng a different basesearch is not an option, i need that base as it is. Thanks!! Gerardo

4 7

Group Members
by criderkevin＠aol.com 12 Aug '11

12 Aug '11

Whats the best way to design my LDAP for use by multiple apps? I need to be able to tell if a user if a member of different apps to allow access. I started by adding custom attributes for each app, boolean and such, and that works fine but somehow just doesn't feel right. Now I'm experimenting with Groups. I have a few Groups setup of objectClass groupOfNames and I've added "member"s to them...the problem is I can't seem to find an ldapsearch that returns a list of users for a particular group. What am I missing here? This query was the closest I came as it returns the list of member attributes: /usr/bin/ldapsearch -h 127.0.0.1 -x -b "dc=mydomain,dc=com" "(&(objectclass=groupOfNames)(cn=GroupA))" Perhaps I am misunderstanding that ldap can do what I'm asking...(???) Would I be better off with the custom attributes on my Users ou? I also need to consider that we need to provide access to seveal admins for maintenance, so we need to make sure one admin can't change the application access that they shouldn't be. Should we have a seperate branch for each app then??? tia, Kevin

3 2

list of replics
by Dmitriy Kirhlarov 12 Aug '11

12 Aug '11

Hi, list. Our company has some core ldap servers. Also we have many replicas from this core, all supported by different persons. I need to get the full list of these replicas. I supposed to find this information in slapd.log, with "sync" enabled, but I couldn't find any replica indicators. Could you please let me know how to find replicas information in slapd.log? WBR

3 3

chaining and referral object with two referrals
by Meike Stone 12 Aug '11

12 Aug '11

Hello, sorry for asking again. If I use the chaining overlay (slapo-chain), and I put more then one referral in the referral-object, how does the overlay behave and can I configure this? Background is, that I want put two referrals to two LDAP-Servers (multi master) and if one of them is missing, the secondary should be asked from the slapo. (http://www.openldap.org/lists/openldap-technical/201107/msg00267.html) Thanks, Meike! (Excuse me for using the mail address from my colleague last time)..

2 2

Read-only Back-SQL
by Worgan, Craig (Craig) 11 Aug '11

11 Aug '11

Hi, I have a little bit of, mainly experimental, experience configuring back-sql to connect to a PostgreSQL database. I have a requirement in front of me to expose a small table of user data in the database to an existing LDAP client. The data in the database is already in the database and managed by another application through the database directly. The LDAP API I am being asked to provide will be read-only. In other words, the data will continue to be managed by the existing management app. I foresee two problems with this approach. First, since the database table is already populated when the new ldap service is turned on, there is no data in the ldap_entries table. Is there a way to populate ldap_entries after the fact so that the records can be seen by OpenLDAP? Second, since the data is mastered by another application that goes through SQL directly, is there a way to update the ldap_entries table on the fly to reflect the additions and deletions that occur once the ldap service is up and running? Right now I am looking at writing a custom procedure to initially populate the ldap_entries table and then triggers to manage the additions and deletions from that point onward. I was just wondering if there was something in back-sql already that might provide a better solution. We are currently using OpenLDAP 2.4.21. Thanks, Craig Worgan Avaya| System Management Solutions | 250 Sidney Street | Belleville, Ontario Canada K8N 5B7 | (613) 967-5233 | worganc(a)avaya.com<mailto:worganc@avaya.com>

1 0

Multi-master setup
by Nocturn 11 Aug '11

11 Aug '11

I'm trying to set up a multi-master ldap with openldap on SL/RHEL 6.1 from the docs here: http://www.openldap.org/doc/admin24/replication.html#N-WayMulti-Master I created an ldif file with: dn: cn=config objectClass: olcGlobal cn: config olcServerID: 1 dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcRootPW: *** But all attempts to import it fail, both with ldapadd as with slapadd. I think I may be getting the whole cn=config way of doing things wrong. Can anyone point me in the right direction? Thanks

1 0

XDAS, SNMP, Auditing, Architecture, Systemrequirement, Replication, Administration - Request
by Kai Pohl 11 Aug '11

11 Aug '11

Dear Sir or Madam, i have some questions about OpenLDAP 2.4.23 or 2.4.26. Does it have a XDAS interface or implementation possibility of another company? Can it use SNMP for monitoring/administration? A question of the architecture of OpenLDAP: Provide it Read-Only/Multi-Read/Write/Multi-Server System? Where can i find Requirments for the system, on which OpenLDAP should installed? My last question is about replication, which replicationforms cann be used, partitioning? Kind Regards Kai Pohl ====================================== Kai Pohl Computer & Competence GmbH, www.cuc.de Warnstedtstrasse 12-16, D22525 Hamburg Tel: +49 (0)40 54882 - 163, Fax: -288 CuC ist als "Computer & Competence" Beratungs- und Vertriebs GmbH beim Hamburger Amtsgericht im Register B unter der Nummer 46306 registriert. Geschäftsführer: Constantin Albrecht AGB: https://www.cuc.de/AGB.agb.0.html ======================================

2 1

Problem in authentication when multiple CA certificates are present
by sachin mishra 10 Aug '11

10 Aug '11

LDAP authentication was working fine when I had single CA certificate at my client machine. I was using ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, tls_cacert_file)) to set the path of CA certificate. Now, there are multiple CA certificates in my certificate hosting path. I tried by reading all the files and then assign the first one using the set option above and if it fails, I perform ldap_unbind and then create a fresh request and set all the options before calling "ldap_start_tls_s". So the steps are: 1. ld = ldap_init() 2. ldap_set_option for number of options including LDAP_OPT_X_TLS_CACERTFILE which points to first file in the directory containing multiple CA certificates 3. ldap_start_tls_s(ld, NULL, NULL) 4. If step 3 is successful continue with normal operation 5. If step 3 fails, ldap_unbind (ld), start from step1 again except that LDAP_OPT_X_TLS_CACERTFILE will now have the next entry in the directory as input. Is there anything wrong in this? Is there any better approach for this? Thanks, Sachin

2 1

Hello, please help build a query for LDAP
by Alexey Shalin 10 Aug '11

10 Aug '11

Hello, please help build a query for LDAP, to get a list of accounts whose password has expired Thank you ------------------------------------------------------------------------------- С уважением, Алексей Шалин Системный Администратор Отдел системного администрирования ЗАО "Межбанковский процессинговый центр" 720083, Кыргызская Республика г. Бишкек, ул. Ауэзова 1/2 тел.: +996 (312) 637738 (вн. 138) факс: +996 (312) 637748 e-mail: <mailto:a.shalin@ipc.kg> a.shalin(a)ipc.kg

2 1

TLS handshake failure
by Daniel Qian 09 Aug '11

09 Aug '11

Hi, I have slapd 2.4.24 and everything works without TLS. but if I add a -Z option to the ldapsearch command I get this: [root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D cn=admin,cn=config -wxxxxxxx -Z -H ldap://ldaprov1.prod cn=config ldap_start_tls: Connect error (-11) ldap_result: Can't contact LDAP server (-1) slapd.log shows something like this : connection_read(16): TLS accept failure error=-1 id=1006, closing Output from openssl debug: [root@ldaprov1 cacerts]# openssl s_client -connect hostname:389 -showcerts -state -CAfile cacert.pem CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A 140225133647680:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 113 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- The configurations are as follow (same command as above but without the -Z option): [root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D cn=admin,cn=config -wxxxxxx -H ldap://hostname cn=config dn: cn=config objectClass: olcGlobal cn: config olcConfigFile: /etc/openldap/slapd.conf olcConfigDir: /etc/openldap/slapd.d olcAllows: bind_v2 olcArgsFile: /var/run/openldap/slapd.args olcAttributeOptions: lang- olcAuthzPolicy: none olcConcurrency: 0 olcConnMaxPending: 100 olcConnMaxPendingAuth: 1000 olcGentleHUP: FALSE olcIdleTimeout: 0 olcIndexSubstrIfMaxLen: 4 olcIndexSubstrIfMinLen: 2 olcIndexSubstrAnyLen: 4 olcIndexSubstrAnyStep: 2 olcIndexIntLen: 4 olcLocalSSF: 71 olcLogLevel: 9 olcPidFile: /var/run/openldap/slapd.pid olcReadOnly: FALSE olcReverseLookup: FALSE olcSaslSecProps: noplain,noanonymous olcSockbufMaxIncoming: 262143 olcSockbufMaxIncomingAuth: 16777215 olcThreads: 16 olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key olcTLSVerifyClient: never olcToolThreads: 1 olcWriteTimeout: 0 I verified the ldap user can read all the TLS files and they are setup fine [root@ldaprov1 cacerts]# openssl verify -purpose sslserver -CAfile cacert.pem ldaprov1.crt ldaprov1.crt: OK Anyone can tell me what I am missing here? Thanks, Daniel

2 17

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical August 2011