n-way multimaster replication with ssl and tls
by anil beniwal
Hi List
Can any body guide me through the steps required to setup n-way
multimaster(3 or more servers at diff countries) replication with
openldap 2.4.2
1. ssl based
2. tls based
I am having normal replication running b/w 3 servers. Now i want to setup
secure replication.
i am using self signed certificate on RHEL 6.3.
How can i validate whether replication is working fine for ssl or tls.
How to enable replication logs.
Anything else i should check out.
I have already gone through a lot of postings on google.
--
Thanks&Regards
Anil Beniwal
10 years, 10 months
restricting access *to* entries by a group member
by Elan Ruusamäe
hi
the goal is to make some users hidden from part of the ldap tree from Apache,
as Apache mod_ldap requires only one entry to be returned for
anonymous search it performs.
there can be duplicates in the same ldap directory, like, for example
there's another uid=glen present
the tree looks like this:
+- dc=example,dc=net
+- cn=Manager
+- ou=People
+- uid=glen
+- ou=Basement
+- uid=glen
+- ou=Groups
+- cn=Hidden Users
+- member: uid=glen,ou=People,dc=example,dc=net
in what ou=Basement,ou=People,dc=example,dc=net is filled by "database ldap",
and it causes duplicate uid entries in the directory (unavoidable)
so far i have just static acl that is working:
access to dn.regex="uid=(glen|somebody-else),ou=People,dc=delfi,dc=net"
attrs=uid
by anonymous =rcxd
it would be better if that can be done by dynamic group lookup via acl.
as i see it, there shoould be acl stating if access to
uid=.+,ou=People,dc=example,dc=net is attempted,
it is checked first that it is not "member" of cn=Hidden
Users,ou=Groups,dc=example,dc=net
and if it's member, access to entry is denied. however i'm unable to
complete such acl rule
i have read manual, and tried to experiment, but i can't make up such
dynamic configuration. any help from the list?
--
glen
10 years, 10 months
Question about "sockbuf_max_incoming"
by Tianyin Xu
Hi, all,
Good day!
Could anyone explain the two following configuration directive:
*sockbuf_max_incoming* <*integer*>
Specify the maximum incoming LDAP PDU size for anonymous
sessions. The default is 262143.
*sockbuf_max_incoming_auth* <*integer*>
Specify the maximum incoming LDAP PDU size for authenticated
sessions. The default is 4194303.
In which scenario, we need to configure these directive? What value should
we set?
Thanks a lot!
Tianyin
--
Tianyin XU,
http://cseweb.ucsd.edu/~tixu/
10 years, 10 months
DN matching rules
by Chris Card
Hi all,
I see that openldap supports a number of matching rules for DNs, e.g. dnOneLevelMatch, dnSubtreeMatch, dnSubordinateMatch and dnSuperiorMatch.
Please can someone point me to documentation about these matching rules? (Google doesn't seem to bring up much useful).
Chris
10 years, 10 months
Password policy
by jeevan kc
Hello thereI want to enable password policy on Openldap 2.4.30(to all
users) running on Linux machine. I see that the ppolicy.ldif and ppolicy.schema
are listed under /usr/local/etc/openldap/schema but are not present on
/usr/local/etc/openldap/slapd.d/cn=config folder. So do I need to add the policy.ldif
to the cn=config folder ? Is there like specific procedure to do that or can I
add manually with ldapadd ? Also how do I enable that schema to all users ?
Please help.
10 years, 10 months
Re: "authtimestamp" attribute replication
by Clément OUDOT
2012/11/13 Quanah Gibson-Mount <quanah(a)zimbra.com>
> --On Tuesday, November 13, 2012 7:29 PM +0000 jeevan kc <
> jeev_biz(a)hotmail.com> wrote:
>
>
>> Hello
>> So I have initiated the lastbind overlay and have retrived the
>> 'authtimestamp' attribute on openldap 2.4.30. What I found is that the
>> timestamps on the attribute have different values on the master server
>> and slave servers. Is there any way to fix this issue? An application
>> developer wants to retreive this value to create a report on 90 days of
>> inactivity for users and since the attribute has different vlaues on
>> different servers the testing on the accuracy of the report is failing.
>> Thank you.
>>
>
> Read the slapo-ppolicy(5) man page.
>
I'm sorry but I think RTFM is not the good answer this time ;)
authtimestamp is not managed by ppolicy but by the lastbind overlay.
To answer the question, I think the only thing to do is check all
directories to create the report. It should be not be difficult for your
application developer.
Clément.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
>
10 years, 10 months
"authtimestamp" attribute replication
by jeevan kc
Hello
So I have initiated the lastbind overlay and have retrived the 'authtimestamp' attribute on openldap 2.4.30. What I found is that the timestamps on the attribute have different values on the master server and slave servers. Is there any way to fix this issue? An application developer wants to retreive this value to create a report on 90 days of inactivity for users and since the attribute has different vlaues on different servers the testing on the accuracy of the report is failing.
Thank you.
10 years, 10 months
OpenLDAP on SMP/multicore environment
by Friedrich Locke
Hi folks,
i would like to set up a new openldap server in my workplace. If possible,
i would like to install openldap in a multicore server running
OpenBSD/amd64 5.1.
May OpenLDAP benefit from a SMP system? If yes, any tip on where to go to
learn how to set up OpenLDAP to take full advantage of a SMP system ?
Thanks in advance.
10 years, 10 months
Re: Index Add Failures
by Kyle Smith
a) Slapadd does a slapindex. Why would you slapadd and then slapindex?
>
Because I forgot that slapadd also does slapindex.
>
> b) What version of OpenLDAP? slapindex still shouldn't cause a failure.
2.4.33
>
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
10 years, 10 months
