Private OID range(s) ?
by Nick Milas
Hello,
I was wondering whether there exists - officially or unofficially - a
range of private OIDs which can be used internally (privately) in an
organization, and is not allowed for schema distribution; something like
private network IP address ranges (10.0.0.0/8, etc.)
The existence of such private OIDs would allow organizations to avoid
registering their own OID branch, since the "private" OID range would
guarrantee that these OIDs can be used internally by the organization
safely and would not be included in a new schema distribution; thus,
conflicts can be excluded. Any organization which would be using such a
"private OID range", should not be allowed to make the associated LDAP
attributes publicly available (not even searchable) in its Directory
interations.
Secondarily, the above would also serve as an "example" range of OIDs
which could be used for communication of schema drafts.
I haven't come across something like this until now.
Thanks,
Nick
11 years, 7 months
Re: RE24 testing call#1 (2.4.30)
by Jens Vagelpohl
On Feb 24, 2012, at 19:20 , Quanah Gibson-Mount wrote:
> If you know how to build OpenLDAP manually, and would like to participate in testing the next set of code for the 2.4.30 release, please do so.
All OK on OS X 10.7.3 x86_64 against BDB 4.7.52+patches
jens
11 years, 7 months
Controlling access based on group membership
by Nick Milas
Hi,
I have a problem of long and complex ACLs which I need to improve.
Therefore, I am thinking of a way to change privilege (access) management.
I have dc=example,dc=com, with branches ou=people, ou=aliases (for email
use), ou=dns (dns entries), ou=Groups.
In ou=Groups entries are of the form:
dn: cn=TechAdmins,ou=Groups,dc=example,dc=com
objectClass: groupOfNames
cn: TechAdmins
member: uid=jack,ou=people,dc=example,dc=com
member: uid=jeff,ou=people,dc=example,dc=com
I would like to be able to control access to any and all entries based
on attributes (to be added to the entries) which specify a group to be
used for administration.
So, for example, I could add to all entries an AUXiliary objectClass
(hypothetical at the moment) "AdminGroupOwnership" with (multi-valued)
attributes: AdminGroups and ReadGroups, SearchGroups with values of the
form: cn=<groupname>,ou=Groups,dc=example,dc=com. Members of the first
would have write access, members of the second would have read access,
and members of the third would have search access only.
I would like to ask the list:
1. Can someone demonstrate how we should formulate an ACL which would
accomplish the above? The ACL should say:
access to <some entries> <some attribute>
by {a DN which belongs to a Group specified in the AdminGroups attr
of the entry} write
by {a DN which belongs to a Group specified in the ReadGroups attr of
the entry} read
by {a DN which belongs to a Group specified in the SearchGroups attr of
the entry} search
2. Is there an existing (included in the distribution or available from
a third-party) schema or similar mechanism available (so that I don't
re-invent the wheel)?
Thanks in advance,
Nick
11 years, 7 months
How to delete openldap database
by Peter Blajev
Fresh install of openldap 2.4.23 and friends on RHEL6/CentOS6 comes with
dc=my-domain,dc=com database.
After starting slapd when I try to delete it the server is not willing to
perform:
====
# ldapsearch -x -LLL -s base namingContexts
dn:
namingContexts: dc=my-domain,dc=com
# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn
dn: cn=config
dn: cn=schema,cn=config
dn: cn={0}corba,cn=schema,cn=config
... (snip) ...
dn: olcDatabase={2}bdb,cn=config
# ldapdelete -Q -Y EXTERNAL -H ldapi:/// -v olcDatabase={2}bdb,cn=config
ldap_initialize( ldapi:///??base )
deleting entry "olcDatabase={2}bdb,cn=config"
ldap_delete: Server is unwilling to perform (53)
====
I can delete /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif
file before starting slapd but what is the proper way of deleting this
database?
Thank you
--
Peter
11 years, 7 months
TLS/SSL issues
by Paul Stephens
Hi,
Having problems getting my TLS setup working.
Current setup:
Ubuntu 11.10 (3.0.0-16 server)
OpenLDAP 2.4.25
I have been using the instructions at:
https://help.ubuntu.com/11.10/serverguide/C/openldap-server.html though to
be honest I am relatively new to TLS and using certtool, etc. I have now
been copy and pasting the commands given in case my typing is as good as it
usually is.
Unencrypted LDAP works fine including syncing with a slave and samba
authentication (non-TLS that is!)
It appears to be something to do with the self-signed certificate not being
trusted and seems to be a common problem people run into. I have been
researching it for a while but at this stage I’m kind of just trying
randomly browsed suggestions, with most admittedly geared towards pervious
OpenLDAP versions and not really assisting with my understanding of the
problem in the first place.
I’ll probably give away more information than I should below but at this
stage I will just blow everything away and start again once I understand
where I’m going wrong anyway.
So when I try:
# nutls-cli --print-cert -p 636 cabernet.burnet.edu.au
Resolving 'cabernet.burnet.edu.au'...
Connecting to '10.10.0.3:636'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
- subject `O=Burnet Institute,CN=cabernet.burnet.edu.au', issuer `CN=
cabernet.burnet.edu.au', RSA key 1024 bits, signed using RSA-SHA1,
activated `2012-02-23 04:57:57 UTC', expires `2022-02-20 04:57:57 UTC',
SHA-1 fingerprint `346ed1e006ce7975afbcaf81d58de886b25953de'
-----BEGIN CERTIFICATE-----
MIICzTCCAbWgAwIBAgIET0XHVTANBgkqhkiG9w0BAQUFADAhMR8wHQYDVQQDExZj
YWJlcm5ldC5idXJuZXQuZWR1LmF1MB4XDTEyMDIyMzA0NTc1N1oXDTIyMDIyMDA0
NTc1N1owPDEZMBcGA1UEChMQQnVybmV0IEluc3RpdHV0ZTEfMB0GA1UEAxMWY2Fi
ZXJuZXQuYnVybmV0LmVkdS5hdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
wwwwl9aNyiAsAktsYbWhS6ePMOIcE3pSt0tT4BG3CUu22/ER9iV9NTZ2JlPiduHr
Tq7NBp6PCCz9jpH+k9LZcMwbH+3d1HXK7trKM+JZo4oWHW08Iy7FsW+zIxHVhbwr
2P1qxG7FrSOJ0pchYgVMkZ6UqMJKfKXlbdwdt28DqKcCAwEAAaN2MHQwDAYDVR0T
AQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8BAf8EBQMDB6AAMB0G
A1UdDgQWBBT3BkevTphmj4dd+D6NbwRSQWdlOzAfBgNVHSMEGDAWgBSeTWcMd+Ku
cx3LyZwwmlVCqf4QhzANBgkqhkiG9w0BAQUFAAOCAQEAORZl+B7XZ+7ygXWKcAph
3pfwImm1SevJqmtDnzNz3XW7zm/8MKBtVjZsvS7l8/pxpGDThuop5RvQMZY7RwiS
SCFo7QglnM+kGqAuqIIBPCiQSNP3cxBBCcjUC88Mzm34+iIZIzvabjHHD+/7bD2x
Sd5pSJxH6zvyVbZcEwHgVtK6gBQ3r1fMFrgC6ggu21pS+J8lVCvTG4gvRx8VIVG8
BusdlMbtiOOz+MY9XrDIfjQ0vyE6y+lYy/SdFOcUCmfd+vH6aT/yl4sMVMUXXGo6
BrIkPLBzUjJzXJAyfMq0qiRKaxqLXloAvAsu/7uP25ldrIbjsHEBSfTR0d984BMW
ow==
-----END CERTIFICATE-----
- Certificate[1] info:
- subject `CN=cabernet.burnet.edu.au', issuer `CN=cabernet.burnet.edu.au',
RSA key 2048 bits, signed using RSA-SHA1, activated `2012-02-23 04:54:42
UTC', expires `2013-02-22 04:54:42 UTC', SHA-1 fingerprint
`d666459a5417a25adc7dbbf6f4bad5c6345166ee'
-----BEGIN CERTIFICATE-----
MIIDAzCCAeugAwIBAgIET0XGkjANBgkqhkiG9w0BAQUFADAhMR8wHQYDVQQDExZj
YWJlcm5ldC5idXJuZXQuZWR1LmF1MB4XDTEyMDIyMzA0NTQ0MloXDTEzMDIyMjA0
NTQ0MlowITEfMB0GA1UEAxMWY2FiZXJuZXQuYnVybmV0LmVkdS5hdTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAPSW4LRc/C0u9DcwA7twyZnKJblGkMt1
mRmoyZUnUu60bSmZB5ulf1IVICWg2Rdv9mfGoB4zmixLJINg6TPiHXpCw7ad2Ci9
hUx30BFpy4H0qOElV1ZPnA/hi2fNgFODB7TSMuV+EoNPosxWkufhYH0mfaWyfIFH
ZlfJUPtF2Lg1U4nyDjVKq4QNyFM/Hzhk3M/kSlSwSIQbw2b4U6QaprVc31RKUPsp
9i44k+2eA5SMXGafCGyvH/3pprnWil4t+Snr4IBrv+w63T5Ip7JT1S//fSN48+0E
vwTJbZp0+8MoHHbFeutJCh6Omwj/8+H2sKqftXVqMglqbv2WWMIV/V0CAwEAAaND
MEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBSe
TWcMd+Kucx3LyZwwmlVCqf4QhzANBgkqhkiG9w0BAQUFAAOCAQEAiFNzqT2C8gFw
sSGA1OJ30yZPVRajvZgyJS4y4tdxOzfQtSKy1sZwCfFSb8z8Ejuj75WhLFvJ+8UV
fpmmBwT/o83BbCDoI6eayt0lBqeEGcEciOtKsrds+Qa8rhywVdXcO+cdE5SgjtdL
DsVHWXp9krYy7cDM2Fthidwz+TdifgMWjEMI8M/zO+51ceGRPpfOjlmFsRFW2aQp
YJP/MaQEkxN2UgN+K4OXHJo7l/NcLVu+e34JKeRd/l7xfxnjfMxvoPXmxzCNOVd8
RAsWd3McOL4osTY5O5sQYnu5/L3Kbyqear88reVFfJwvYAp/UXy/ozVcebXo5M+p
dNpyevLA2g==
-----END CERTIFICATE-----
- The hostname in the certificate matches 'cabernet.burnet.edu.au'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.2
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA256
- Compression: NULL
- Handshake was completed
******* LDAP search TLS test ******
# ldapsearch -ZZ -d -1
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x7ff66fe28680 ptr=0x7ff66fe28680 end=0x7ff66fe2869f len=31
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31
0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37
.4.1.1466.20037
ber_scanf fmt ({) ber:
ber_dump: buf=0x7ff66fe28680 ptr=0x7ff66fe28685 end=0x7ff66fe2869f len=26
0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e
w...1.3.6.1.4.1.
0010: 31 34 36 36 2e 32 30 30 33 37
1466.20037
ber_flush2: 31 bytes to sd 3
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31
0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37
.4.1.1466.20037
ldap_write: want=31, written=31
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31
0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37
.4.1.1466.20037
ldap_result ld 0x7ff66fe1f160 msgid 1
wait4msg ld 0x7ff66fe1f160 msgid 1 (infinite timeout)
wait4msg continue ld 0x7ff66fe1f160 msgid 1 all 1
** ld 0x7ff66fe1f160 Connections:
* host: localhost port: 389 (default)
refcnt: 2 status: Connected
last used: Thu Feb 23 16:54:28 2012
** ld 0x7ff66fe1f160 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x7ff66fe1f160 request count 1 (abandoned 0)
** ld 0x7ff66fe1f160 Response Queue:
Empty
ld 0x7ff66fe1f160 response count 0
ldap_chkResponseList ld 0x7ff66fe1f160 msgid 1 all 1
ldap_chkResponseList returns ld 0x7ff66fe1f160 NULL
ldap_int_select
read1msg: ld 0x7ff66fe1f160 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=8
0000: 30 0c 02 01 01 78 07 0a
0....x..
ldap_read: want=6, got=6
0000: 01 00 04 00 04 00
......
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x7ff66fe297e0 ptr=0x7ff66fe297e0 end=0x7ff66fe297ec len=12
0000: 02 01 01 78 07 0a 01 00 04 00 04 00
...x........
read1msg: ld 0x7ff66fe1f160 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x7ff66fe297e0 ptr=0x7ff66fe297e3 end=0x7ff66fe297ec len=9
0000: 78 07 0a 01 00 04 00 04 00
x........
read1msg: ld 0x7ff66fe1f160 0 new referrals
read1msg: mark request completed, ld 0x7ff66fe1f160 msgid 1
request done: ld 0x7ff66fe1f160 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x7ff66fe297e0 ptr=0x7ff66fe297e3 end=0x7ff66fe297ec len=9
0000: 78 07 0a 01 00 04 00 04 00
x........
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_dump: buf=0x7ff66fe297e0 ptr=0x7ff66fe297e3 end=0x7ff66fe297ec len=9
0000: 78 07 0a 01 00 04 00 04 00
x........
ber_scanf fmt (}) ber:
ber_dump: buf=0x7ff66fe297e0 ptr=0x7ff66fe297ec end=0x7ff66fe297ec len=0
ldap_msgfree
tls_write: want=126, written=126
0000: 16 03 03 00 79 01 00 00 75 03 03 4f 45 d4 94 f1
....y...u..OE...
0010: 7c 3e 41 05 6a 43 c7 96 05 77 9d f3 83 22 c7 c5
|>A.jC...w..."..
0020: d8 b0 06 7c 6f fe 70 b6 b4 fa 78 00 00 30 00 67
...|o.p...x..0.g
0030: 00 33 00 45 00 6b 00 39 00 88 00 16 00 40 00 32 .3.E.k.9.....@.2
0040: 00 44 00 6a 00 38 00 87 00 13 00 66 00 3c 00 2f
.D.j.8.....f.<./
0050: 00 41 00 3d 00 35 00 84 00 0a 00 05 00 04 01 00
.A.=.5..........
0060: 00 1c 00 09 00 03 02 00 01 ff 01 00 01 00 00 0d
................
0070: 00 0c 00 0a 02 01 02 02 04 01 05 01 06 01
..............
tls_read: want=5, got=5
0000: 16 03 03 00 51
....Q
tls_read: want=81, got=81
0000: 02 00 00 4d 03 03 4f 45 d4 94 9e 56 0b 56 c2 c1
...M..OE...V.V..
0010: 6b 05 2b 45 e1 bd 0b 64 32 58 b7 0e 12 ad e2 99
k.+E...d2X......
0020: bd 8e de c7 97 c5 20 0d ab 14 f0 0b 42 44 47 20 ......
.....BDG
0030: 95 67 22 45 74 ab 50 51 9f a8 b8 f1 d4 14 73 2e
.g"Et.PQ......s.
0040: 9f 0d 61 6d 4d d1 a7 00 3c 00 00 05 ff 01 00 01
..amM...<.......
0050: 00
.
tls_read: want=5, got=5
0000: 16 03 03 05 e5
.....
tls_read: want=1509, got=1509
0000: 0b 00 05 e1 00 05 de 00 02 d1 30 82 02 cd 30 82
..........0...0.
0010: 01 b5 a0 03 02 01 02 02 04 4f 45 c7 55 30 0d 06
.........OE.U0..
0020: 09 2a 86 48 86 f7 0d 01 01 05 05 00 30 21 31 1f
.*.H........0!1.
0030: 30 1d 06 03 55 04 03 13 16 63 61 62 65 72 6e 65
0...U....caberne
0040: 74 2e 62 75 72 6e 65 74 2e 65 64 75 2e 61 75 30
t.burnet.edu.au0
0050: 1e 17 0d 31 32 30 32 32 33 30 34 35 37 35 37 5a
...120223045757Z
0060: 17 0d 32 32 30 32 32 30 30 34 35 37 35 37 5a 30
..220220045757Z0
0070: 3c 31 19 30 17 06 03 55 04 0a 13 10 42 75 72 6e
<1.0...U....Burn
0080: 65 74 20 49 6e 73 74 69 74 75 74 65 31 1f 30 1d et
Institute1.0.
0090: 06 03 55 04 03 13 16 63 61 62 65 72 6e 65 74 2e
..U....cabernet.
00a0: 62 75 72 6e 65 74 2e 65 64 75 2e 61 75 30 81 9f
burnet.edu.au0..
00b0: 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03
0...*.H.........
00c0: 81 8d 00 30 81 89 02 81 81 00 c3 0c 30 97 d6 8d
...0........0...
00d0: ca 20 2c 02 4b 6c 61 b5 a1 4b a7 8f 30 e2 1c 13 .
,.Kla..K..0...
00e0: 7a 52 b7 4b 53 e0 11 b7 09 4b b6 db f1 11 f6 25
zR.KS....K.....%
00f0: 7d 35 36 76 26 53 e2 76 e1 eb 4e ae cd 06 9e 8f
}56v&S.v..N.....
0100: 08 2c fd 8e 91 fe 93 d2 d9 70 cc 1b 1f ed dd d4
.,.......p......
0110: 75 ca ee da ca 33 e2 59 a3 8a 16 1d 6d 3c 23 2e
u....3.Y....m<#.
0120: c5 b1 6f b3 23 11 d5 85 bc 2b d8 fd 6a c4 6e c5
..o.#....+..j.n.
0130: ad 23 89 d2 97 21 62 05 4c 91 9e 94 a8 c2 4a 7c
.#...!b.L.....J|
0140: a5 e5 6d dc 1d b7 6f 03 a8 a7 02 03 01 00 01 a3
..m...o.........
0150: 76 30 74 30 0c 06 03 55 1d 13 01 01 ff 04 02 30
v0t0...U.......0
0160: 00 30 13 06 03 55 1d 25 04 0c 30 0a 06 08 2b 06
.0...U.%..0...+.
0170: 01 05 05 07 03 01 30 0f 06 03 55 1d 0f 01 01 ff
......0...U.....
0180: 04 05 03 03 07 a0 00 30 1d 06 03 55 1d 0e 04 16
.......0...U....
0190: 04 14 f7 06 47 af 4e 98 66 8f 87 5d f8 3e 8d 6f
....G.N.f..].>.o
01a0: 04 52 41 67 65 3b 30 1f 06 03 55 1d 23 04 18 30
.RAge;0...U.#..0
01b0: 16 80 14 9e 4d 67 0c 77 e2 ae 73 1d cb c9 9c 30
....Mg.w..s....0
01c0: 9a 55 42 a9 fe 10 87 30 0d 06 09 2a 86 48 86 f7
.UB....0...*.H..
01d0: 0d 01 01 05 05 00 03 82 01 01 00 39 16 65 f8 1e
...........9.e..
01e0: d7 67 ee f2 81 75 8a 70 0a 61 de 97 f0 22 69 b5
.g...u.p.a..."i.
01f0: 49 eb c9 aa 6b 43 9f 33 73 dd 75 bb ce 6f fc 30
I...kC.3s.u..o.0
0200: a0 6d 56 36 6c bd 2e e5 f3 fa 71 a4 60 d3 86 ea
.mV6l.....q.`...
0210: 29 e5 1b d0 31 96 3b 47 08 92 48 21 68 ed 08 25
)...1.;G..H!h..%
0220: 9c cf a4 1a a0 2e a8 82 01 3c 28 90 48 d3 f7 73
.........<(.H..s
0230: 10 41 09 c8 d4 0b cf 0c ce 6d f8 fa 22 19 23 3b
.A.......m..".#;
0240: da 6e 31 c7 0f ef fb 6c 3d b1 49 de 69 48 9c 47
.n1....l=.I.iH.G
0250: eb 3b f2 55 b6 5c 13 01 e0 56 d2 ba 80 14 37 af
.;.U.\...V....7.
0260: 57 cc 16 b8 02 ea 08 2e db 5a 52 f8 9f 25 54 2b
W........ZR..%T+
0270: d3 1b 88 2f 47 1f 15 21 51 bc 06 eb 1d 94 c6 ed
.../G..!Q.......
0280: 88 e3 b3 f8 c6 3d 5e b0 c8 7e 34 34 bf 21 3a cb
.....=^..~44.!:.
0290: e9 58 cb f4 9d 14 e7 14 0a 67 dd fa f1 fa 69 3f
.X.......g....i?
02a0: f2 97 8b 0c 54 c5 17 5c 6a 3a 06 b2 24 3c b0 73
....T..\j:..$<.s
02b0: 52 32 73 5c 90 32 7c ca b4 aa 24 4a 6b 1a 8b 5e
R2s\.2|...$Jk..^
02c0: 5a 00 bc 0b 2e ff bb 8f db 99 5d ac 86 e3 b0 71
Z.........]....q
02d0: 01 49 f4 d1 d1 df 7c e0 13 16 a3 00 03 07 30 82
.I....|.......0.
02e0: 03 03 30 82 01 eb a0 03 02 01 02 02 04 4f 45 c6
..0..........OE.
02f0: 92 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00
.0...*.H........
0300: 30 21 31 1f 30 1d 06 03 55 04 03 13 16 63 61 62
0!1.0...U....cab
0310: 65 72 6e 65 74 2e 62 75 72 6e 65 74 2e 65 64 75 ernet.burnet.edu
0320: 2e 61 75 30 1e 17 0d 31 32 30 32 32 33 30 34 35
.au0...120223045
0330: 34 34 32 5a 17 0d 31 33 30 32 32 32 30 34 35 34
442Z..1302220454
0340: 34 32 5a 30 21 31 1f 30 1d 06 03 55 04 03 13 16
42Z0!1.0...U....
0350: 63 61 62 65 72 6e 65 74 2e 62 75 72 6e 65 74 2e
cabernet.burnet.
0360: 65 64 75 2e 61 75 30 82 01 22 30 0d 06 09 2a 86
edu.au0.."0...*.
0370: 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82
H.............0.
0380: 01 0a 02 82 01 01 00 f4 96 e0 b4 5c fc 2d 2e f4
...........\.-..
0390: 37 30 03 bb 70 c9 99 ca 25 b9 46 90 cb 75 99 19
70..p...%.F..u..
03a0: a8 c9 95 27 52 ee b4 6d 29 99 07 9b a5 7f 52 15
...'R..m).....R.
03b0: 20 25 a0 d9 17 6f f6 67 c6 a0 1e 33 9a 2c 4b 24
%...o.g...3.,K$
03c0: 83 60 e9 33 e2 1d 7a 42 c3 b6 9d d8 28 bd 85 4c
.`.3..zB....(..L
03d0: 77 d0 11 69 cb 81 f4 a8 e1 25 57 56 4f 9c 0f e1
w..i.....%WVO...
03e0: 8b 67 cd 80 53 83 07 b4 d2 32 e5 7e 12 83 4f a2
.g..S....2.~..O.
03f0: cc 56 92 e7 e1 60 7d 26 7d a5 b2 7c 81 47 66 57
.V...`}&}..|.GfW
0400: c9 50 fb 45 d8 b8 35 53 89 f2 0e 35 4a ab 84 0d
.P.E..5S...5J...
0410: c8 53 3f 1f 38 64 dc cf e4 4a 54 b0 48 84 1b c3
.S?.8d...JT.H...
0420: 66 f8 53 a4 1a a6 b5 5c df 54 4a 50 fb 29 f6 2e
f.S....\.TJP.)..
0430: 38 93 ed 9e 03 94 8c 5c 66 9f 08 6c af 1f fd e9
8......\f..l....
0440: a6 b9 d6 8a 5e 2d f9 29 eb e0 80 6b bf ec 3a dd
....^-.)...k..:.
0450: 3e 48 a7 b2 53 d5 2f ff 7d 23 78 f3 ed 04 bf 04
>H..S./.}#x.....
0460: c9 6d 9a 74 fb c3 28 1c 76 c5 7a eb 49 0a 1e 8e
.m.t..(.v.z.I...
0470: 9b 08 ff f3 e1 f6 b0 aa 9f b5 75 6a 32 09 6a 6e
..........uj2.jn
0480: fd 96 58 c2 15 fd 5d 02 03 01 00 01 a3 43 30 41
..X...]......C0A
0490: 30 0f 06 03 55 1d 13 01 01 ff 04 05 30 03 01 01
0...U.......0...
04a0: ff 30 0f 06 03 55 1d 0f 01 01 ff 04 05 03 03 07
.0...U..........
04b0: 04 00 30 1d 06 03 55 1d 0e 04 16 04 14 9e 4d 67
..0...U.......Mg
04c0: 0c 77 e2 ae 73 1d cb c9 9c 30 9a 55 42 a9 fe 10
.w..s....0.UB...
04d0: 87 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00
.0...*.H........
04e0: 03 82 01 01 00 88 53 73 a9 3d 82 f2 01 70 b1 21
......Ss.=...p.!
04f0: 80 d4 e2 77 d3 26 4f 55 16 a3 bd 98 32 25 2e 32
...w.&OU....2%.2
0500: e2 d7 71 3b 37 d0 b5 22 b2 d6 c6 70 09 f1 52 6f
..q;7.."...p..Ro
0510: cc fc 12 3b a3 ef 95 a1 2c 5b c9 fb c5 15 7e 99
...;....,[....~.
0520: a6 07 04 ff a3 cd c1 6c 20 e8 23 a7 9a ca dd 25 .......l
.#....%
0530: 06 a7 84 19 c1 1c 88 eb 4a b2 b7 6c f9 06 bc ae
........J..l....
0540: 1c b0 55 d5 dc 3b e7 1d 13 94 a0 8e d7 4b 0e c5
..U..;.......K..
0550: 47 59 7a 7d 92 b6 32 ed c0 cc d8 5b 61 89 dc 33
GYz}..2....[a..3
0560: f9 37 62 7e 03 16 8c 43 08 f0 cf f3 3b ee 75 71
.7b~...C....;.uq
0570: e1 91 3e 97 ce 8e 59 85 b1 11 56 d9 a4 29 60 93
..>...Y...V..)`.
0580: ff 31 a4 04 93 13 76 52 03 7e 2b 83 97 1c 9a 3b
.1....vR.~+....;
0590: 97 f3 5c 2d 5b be 7b 7e 09 29 e4 5d fe 5e f1 7f
..\-[.{~.).].^..
05a0: 19 e3 7c cc 6f a0 f5 e6 c7 30 8d 39 57 7c 44 0b
..|.o....0.9W|D.
05b0: 16 77 73 1c 38 be 28 b1 36 39 3b 9b 10 62 7b b9
.ws.8.(.69;..b{.
05c0: fc bd ca 6f 2a 9e 6a bf 3c ad e5 45 7c 9c 2f 60
...o*.j.<..E|./`
05d0: 0a 7f 51 7c bf a3 35 5c 79 b5 e8 e4 cf a9 74 da
..Q|..5\y.....t.
05e0: 72 7a f2 c0 da
rz...
tls_read: want=5, got=5
0000: 16 03 03 00 04
.....
tls_read: want=4, got=4
0000: 0e 00 00 00
....
tls_write: want=139, written=139
0000: 16 03 03 00 86 10 00 00 82 00 80 27 8b cb 55 4b
...........'..UK
0010: 5e 9f 1c 8f e0 f6 40 3f b8 2e c7 39 58 54 2a a5
^.....@?...9XT*.
0020: c7 02 a3 07 b4 20 e0 b4 cd 04 c9 de 4e 43 71 ef .....
......NCq.
0030: e2 f4 1e ae f0 f4 fb 97 cb 5f e2 d9 58 28 f3 e4
........._..X(..
0040: 98 ee 1f 75 7f b9 50 e0 79 7a 85 1a 45 99 7c a2
...u..P.yz..E.|.
0050: 9f d4 d6 02 21 b8 b8 e5 0b 00 d4 87 36 8f 16 d2
....!.......6...
0060: f1 92 fb 6e 34 06 a9 eb 2b 07 6d be 5e 6a 8f 13
...n4...+.m.^j..
0070: d2 1a b5 76 51 65 b4 bb c9 54 da 9c b8 eb 22 1c
...vQe...T....".
0080: 24 b0 7e 4c a6 d8 9c 3e 1d ec 97
$.~L...>...
tls_write: want=6, written=6
0000: 14 03 03 00 01 01
......
tls_write: want=149, written=149
0000: 16 03 03 00 90 42 db 5e 66 fe 67 8d 28 5c 2b 4e
.....B.^f.g.(\+N
0010: 30 83 de f3 e5 9b 72 1c ad 0a 47 fc bb e5 00 86
0.....r...G.....
0020: 15 38 99 7e 65 32 7a 83 dd d3 38 da 1f 02 19 90
.8.~e2z...8.....
0030: ce 52 04 ca 19 f9 23 64 eb 95 32 f7 99 1a e6 70
.R....#d..2....p
0040: 87 91 8d fd de 91 99 34 15 24 95 dc 9b 18 6e 2c
.......4.$....n,
0050: d0 61 08 5f 8a d6 67 ef 07 0d ac f7 97 f0 ee ec
.a._..g.........
0060: 06 c5 34 27 55 af 0e c2 41 df df 5f 2a 3f 70 e7
..4'U...A.._*?p.
0070: 6a 15 e8 d2 b3 30 8e d2 b7 02 1d 41 87 c0 3c 09
j....0.....A..<.
0080: 2c 3e 74 aa 10 b1 5a 89 22 73 16 ff c4 99 0b d4
,>t...Z."s......
0090: c8 30 5f 78 3a
.0_x:
tls_read: want=5, got=5
0000: 14 03 03 00 01
.....
tls_read: want=1, got=1
0000: 01
.
tls_read: want=5, got=5
0000: 16 03 03 01 20
....
tls_read: want=288, got=288
0000: 25 02 9a a1 d7 69 40 00 ba 2b 75 2c 4e 7b 82 21 %....i@..+u,N{.!
0010: f9 0d 2e 55 1b 3f 34 c9 5e 59 43 7f 6c d2 c2 52
...U.?4.^YC.l..R
0020: 5d bf 44 e9 93 65 33 bc a8 9b f8 b7 d3 f2 f6 15
].D..e3.........
0030: b1 e9 58 3a 16 c3 22 f9 9b 0c ff 4f 19 d0 cc f9
..X:.."....O....
0040: cd 2d 76 15 48 20 57 c5 c0 6b cd 2c 4a 5b b1 9d .-v.H
W..k.,J[..
0050: 1b d3 9b bf 16 c4 36 ee ca 2e af 23 7c b7 e7 e1
......6....#|...
0060: f9 bf 46 b6 06 12 fe fe ab 3d 34 5e c7 9c 4a 52
..F......=4^..JR
0070: 99 70 70 0f d1 8d fd 55 bb f9 f5 2b 56 dc 5b 00
.pp....U...+V.[.
0080: f2 75 f3 74 89 65 91 a5 5f 70 09 5b 09 c0 e8 48
.u.t.e.._p.[...H
0090: 4a db f6 15 14 4a 41 fe 14 09 73 cf fa 5b 1c 7c
J....JA...s..[.|
00a0: 68 82 fd 1d da 49 2d 12 83 b0 67 15 56 7c f8 ee
h....I-...g.V|..
00b0: 75 08 7a 3d 1a a6 87 aa bc 7d ff b4 71 43 93 8c
u.z=.....}..qC..
00c0: b4 c6 3e a0 5b 3b 10 e9 16 62 b0 dc cb a8 08 77
..>.[;...b.....w
00d0: d0 51 31 ed 8b 05 62 1f 3f a1 9d 45 ff d8 3f ba
.Q1...b.?..E..?.
00e0: ae a1 d6 ac 29 e6 f8 75 87 33 8e a7 19 9f 69 ec
....)..u.3....i.
00f0: fd d5 49 20 4e 09 aa 3d da c4 50 a5 0d 50 0b f9 ..I
N..=..P..P..
0100: c1 2a b9 bd 71 6a 5a 6e e7 01 0c df 1c 44 33 34
.*..qjZn.....D34
0110: 6e ac e6 db 1a 7d ef 10 5e 68 d3 4b cc 56 59 01
n....}..^h.K.VY.
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_start_tls: Connect error (-11)
additional info: (unknown error code)
I also get quite a few these errors in the syslog, though they don’t appear
to be coincide with my manual connection attempts:
Feb 23 16:20:41 cabernet slapd[9024]: connection_read(25): no connection!
Feb 23 16:20:41 cabernet slapd[9024]: <= bdb_equality_candidates:
(objectClass) not indexed
Please let me know if there is anything else you want and thanks in advance
for any suggestions
Cheers
Paul
11 years, 7 months
Re: alias entries across database bounds, allowed if DBs are "subordinate"?
by Judd Maltin
On Fri, Feb 24, 2012 at 11:47 AM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> --On Thursday, February 23, 2012 5:04 PM -0800 Howard Chu <hyc(a)symas.com>
> wrote:
>
>> Judd Maltin wrote:
>>>
>>> Hey folks,
>>>
>>> On the same slapd server, I have two databases with different suffixes.
>>>
>>> I'd like to create an alias entry in one database and suffix to return
>>> an entry from the other database and suffix.
>>>
>>> Would this be possible if the second database were subordinate to the
>>> other? Or, because it does not share namingContext by being in the
>>> same suffix, would it fail?
>>>
>>> Otherwise I'm going to setup another slapd and use back-ldap/meta to
>>> proxy what I need.
>>
>>
>> No, aliases cannot cross DB boundaries, regardless of subordinate.
>
>
> Any reason why you don't make it all a single DB?
>
> --Quanah
>
Thanks for the responses, guys.
I inherited the existing and will be replacing with one DB.
I'm now slapcatting the DBs and loading into a single DB as POC.
-judd
--
Judd Maltin
T: 917-882-1270
F: 501-694-7809
A loving heart is never wrong.
11 years, 7 months
OpenLDAP training Europe
by Pieter Baele
Any recommendations for OpenLDAP traing going further then the basics?
location: Belgium, France, Germany or UK
Sincerely, PieterB
11 years, 7 months
alias entries across database bounds, allowed if DBs are "subordinate"?
by Judd Maltin
Hey folks,
On the same slapd server, I have two databases with different suffixes.
I'd like to create an alias entry in one database and suffix to return
an entry from the other database and suffix.
Would this be possible if the second database were subordinate to the
other? Or, because it does not share namingContext by being in the
same suffix, would it fail?
Otherwise I'm going to setup another slapd and use back-ldap/meta to
proxy what I need.
Thanks!
-judd
--
Judd Maltin
T: 917-882-1270
F: 501-694-7809
A loving heart is never wrong.
11 years, 7 months
bdb to hdb conversion
by btb@bitrate.net
i've just converted an existing database/directory from bdb to hdb. it
appears to have worked, and all seems to be in order, but is there
something i can do to demonstrate empirically that it is in fact hdb now?
11 years, 7 months
Re: Howto implement RBAC with OU's and posixGroups
by Fred van Zwieten
What I mean with "this" in "in AD this is possible" is the fact that you
can assign group membership to OU membership (When user A is member of OU
B, user A will become member of group C".
Afaik this is not possible with OpenLDAP. If it is, I would really like to
know how. My only bet is with dynamic groups/list, but I have no idea how.
Fred
2012/2/23 Buchan Milne <bgmilne(a)staff.telkomsa.net>
> On Wednesday, 22 February 2012 11:22:55 Fred van Zwieten wrote:
> > Hi all,
> >
> > warning: openldap newbie..
> >
> > is it possible to have a person put into an OU and, because of this, will
> > become member of some group in such a way that this group shows up in
> linux
> > using "id". This to implement some form of RBAC. I found GroupofMembers,
> > but that has nothing to do with OU's. Also, it seems posixGroup and
> > groupOfMembers objecttypes are no longer allowed together because the are
> > both STRUCTURAL.
>
> Not in nis.schema, but in rfc2307bis.schema, posixGroup is not structural.
>
> > In AD this is possible.
>
> It is possible in OpenLDAP too. Just now with nis.schema. Most LDAP clients
> support rfc2307bis.
>
> Regards,
> Buchan
>
11 years, 7 months