Hi all. Im having hard time triyng to figure out what is wrong with this
Im triyng to filter a specific user inside a specific group. Like this
/usr/bin/ldapsearch -x -D ".." -w..
It gets no results, but if i remove the memberof part, it works good.
"(&(uniquemember=uid=gherzig,ou=People,o=Work))" as a filter gives me
all the entries that users is in.
What is wrong?
BTW specifiyng a different basesearch is not an option, i need that base
as it is.
Whats the best way to design my LDAP for use by multiple apps?
I need to be able to tell if a user if a member of different apps to allow access. I started by adding custom attributes for each app, boolean and such, and that works fine but somehow just doesn't feel right.
Now I'm experimenting with Groups. I have a few Groups setup of objectClass groupOfNames and I've added "member"s to them...the problem is I can't seem to find an ldapsearch that returns a list of users for a particular group. What am I missing here? This query was the closest I came as it returns the list of member attributes:
/usr/bin/ldapsearch -h 127.0.0.1 -x -b "dc=mydomain,dc=com" "(&(objectclass=groupOfNames)(cn=GroupA))"
Perhaps I am misunderstanding that ldap can do what I'm asking...(???)
Would I be better off with the custom attributes on my Users ou? I also need to consider that we need to provide access to seveal admins for maintenance, so we need to make sure one admin can't change the application access that they shouldn't be. Should we have a seperate branch for each app then???
Our company has some core ldap servers.
Also we have many replicas from this core, all supported by different
persons. I need to get the full list of these replicas.
I supposed to find this information in slapd.log, with "sync" enabled,
but I couldn't find any replica indicators.
Could you please let me know how to find replicas information in slapd.log?
sorry for asking again.
If I use the chaining overlay (slapo-chain), and I put more then one
referral in the referral-object, how does the overlay behave and can I
Background is, that I want put two referrals to two LDAP-Servers
(multi master) and if one of them is missing, the secondary should be
asked from the slapo.
(Excuse me for using the mail address from my colleague last time)..
I have a little bit of, mainly experimental, experience configuring back-sql to connect to a PostgreSQL database. I have a requirement in front of me to expose a small table of user data in the database to an existing LDAP client. The data in the database is already in the database and managed by another application through the database directly. The LDAP API I am being asked to provide will be read-only. In other words, the data will continue to be managed by the existing management app. I foresee two problems with this approach.
First, since the database table is already populated when the new ldap service is turned on, there is no data in the ldap_entries table. Is there a way to populate ldap_entries after the fact so that the records can be seen by OpenLDAP?
Second, since the data is mastered by another application that goes through SQL directly, is there a way to update the ldap_entries table on the fly to reflect the additions and deletions that occur once the ldap service is up and running?
Right now I am looking at writing a custom procedure to initially populate the ldap_entries table and then triggers to manage the additions and deletions from that point onward. I was just wondering if there was something in back-sql already that might provide a better solution.
We are currently using OpenLDAP 2.4.21.
Avaya| System Management Solutions | 250 Sidney Street | Belleville, Ontario Canada K8N 5B7 | (613) 967-5233 | worganc(a)avaya.com<mailto:email@example.com>
I'm trying to set up a multi-master ldap with openldap on SL/RHEL 6.1 from
the docs here: http://www.openldap.org/doc/admin24/replication.html#N-WayMulti-Master
I created an ldif file with:
But all attempts to import it fail, both with ldapadd as with slapadd.
I think I may be getting the whole cn=config way of doing things
wrong. Can anyone point me in the right direction?
Dear Sir or Madam,
i have some questions about OpenLDAP 2.4.23 or 2.4.26. Does it have a
XDAS interface or implementation possibility of another company? Can it
use SNMP for monitoring/administration? A question of the architecture
of OpenLDAP: Provide it Read-Only/Multi-Read/Write/Multi-Server System?
Where can i find Requirments for the system, on which OpenLDAP should
installed? My last question is about replication, which replicationforms
cann be used, partitioning?
Computer & Competence GmbH, www.cuc.de
Warnstedtstrasse 12-16, D22525 Hamburg
Tel: +49 (0)40 54882 - 163, Fax: -288
CuC ist als "Computer & Competence"
Beratungs- und Vertriebs GmbH beim
Hamburger Amtsgericht im Register B
unter der Nummer 46306 registriert.
Geschäftsführer: Constantin Albrecht
LDAP authentication was working fine when I had single CA certificate at my client machine. I was using
ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, tls_cacert_file))
to set the path of CA certificate. Now, there are multiple CA certificates in my certificate hosting path. I tried by reading all the files and then assign the first one using the set option above and if it fails, I perform ldap_unbind and then create a fresh
request and set all the options before calling "ldap_start_tls_s". So the steps are:
1. ld = ldap_init()
2. ldap_set_option for number of options including LDAP_OPT_X_TLS_CACERTFILE which points to first file in the directory containing multiple CA certificates
3. ldap_start_tls_s(ld, NULL, NULL)
4. If step 3 is successful continue with normal operation
5. If step 3 fails, ldap_unbind (ld), start from step1 again except that LDAP_OPT_X_TLS_CACERTFILE will now have the next entry in the directory as input.
Is there anything wrong in this? Is there any better approach for this?
Hello, please help build a query for LDAP, to get a list of accounts whose password has expired
Отдел системного администрирования
ЗАО "Межбанковский процессинговый центр"
720083, Кыргызская Республика
г. Бишкек, ул. Ауэзова 1/2
тел.: +996 (312) 637738 (вн. 138)
факс: +996 (312) 637748
e-mail: <mailto:firstname.lastname@example.org> a.shalin(a)ipc.kg
I have slapd 2.4.24 and everything works without TLS. but if I add a -Z
option to the ldapsearch command I get this:
[root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D
cn=admin,cn=config -wxxxxxxx -Z -H ldap://ldaprov1.prod cn=config
ldap_start_tls: Connect error (-11)
ldap_result: Can't contact LDAP server (-1)
slapd.log shows something like this : connection_read(16): TLS accept
failure error=-1 id=1006, closing
Output from openssl debug:
[root@ldaprov1 cacerts]# openssl s_client -connect hostname:389
-showcerts -state -CAfile cacert.pem
SSL_connect:SSLv2/v3 write client hello A
140225133647680:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 113 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
The configurations are as follow (same command as above but without the
[root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D
cn=admin,cn=config -wxxxxxx -H ldap://hostname cn=config
I verified the ldap user can read all the TLS files and they are setup fine
[root@ldaprov1 cacerts]# openssl verify -purpose sslserver -CAfile
Anyone can tell me what I am missing here?