February 2012 - openldap-technical

by Nick Milas

Hello, I was wondering whether there exists - officially or unofficially - a range of private OIDs which can be used internally (privately) in an organization, and is not allowed for schema distribution; something like private network IP address ranges (10.0.0.0/8, etc.) The existence of such private OIDs would allow organizations to avoid registering their own OID branch, since the "private" OID range would guarrantee that these OIDs can be used internally by the organization safely and would not be included in a new schema distribution; thus, conflicts can be excluded. Any organization which would be using such a "private OID range", should not be allowed to make the associated LDAP attributes publicly available (not even searchable) in its Directory interations. Secondarily, the above would also serve as an "example" range of OIDs which could be used for communication of schema drafts. I haven't come across something like this until now. Thanks, Nick

11 years, 7 months

5
10
0 / 0

Re: RE24 testing call#1 (2.4.30)

by Jens Vagelpohl

On Feb 24, 2012, at 19:20 , Quanah Gibson-Mount wrote: > If you know how to build OpenLDAP manually, and would like to participate in testing the next set of code for the 2.4.30 release, please do so. All OK on OS X 10.7.3 x86_64 against BDB 4.7.52+patches jens

11 years, 7 months

2
1
0 / 0

Controlling access based on group membership

by Nick Milas

Hi, I have a problem of long and complex ACLs which I need to improve. Therefore, I am thinking of a way to change privilege (access) management. I have dc=example,dc=com, with branches ou=people, ou=aliases (for email use), ou=dns (dns entries), ou=Groups. In ou=Groups entries are of the form: dn: cn=TechAdmins,ou=Groups,dc=example,dc=com objectClass: groupOfNames cn: TechAdmins member: uid=jack,ou=people,dc=example,dc=com member: uid=jeff,ou=people,dc=example,dc=com I would like to be able to control access to any and all entries based on attributes (to be added to the entries) which specify a group to be used for administration. So, for example, I could add to all entries an AUXiliary objectClass (hypothetical at the moment) "AdminGroupOwnership" with (multi-valued) attributes: AdminGroups and ReadGroups, SearchGroups with values of the form: cn=<groupname>,ou=Groups,dc=example,dc=com. Members of the first would have write access, members of the second would have read access, and members of the third would have search access only. I would like to ask the list: 1. Can someone demonstrate how we should formulate an ACL which would accomplish the above? The ACL should say: access to <some entries> <some attribute> by {a DN which belongs to a Group specified in the AdminGroups attr of the entry} write by {a DN which belongs to a Group specified in the ReadGroups attr of the entry} read by {a DN which belongs to a Group specified in the SearchGroups attr of the entry} search 2. Is there an existing (included in the distribution or available from a third-party) schema or similar mechanism available (so that I don't re-invent the wheel)? Thanks in advance, Nick

11 years, 7 months

3
10
0 / 0

How to delete openldap database

by Peter Blajev

Fresh install of openldap 2.4.23 and friends on RHEL6/CentOS6 comes with dc=my-domain,dc=com database. After starting slapd when I try to delete it the server is not willing to perform: ==== # ldapsearch -x -LLL -s base namingContexts dn: namingContexts: dc=my-domain,dc=com # ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn dn: cn=config dn: cn=schema,cn=config dn: cn={0}corba,cn=schema,cn=config ... (snip) ... dn: olcDatabase={2}bdb,cn=config # ldapdelete -Q -Y EXTERNAL -H ldapi:/// -v olcDatabase={2}bdb,cn=config ldap_initialize( ldapi:///??base ) deleting entry "olcDatabase={2}bdb,cn=config" ldap_delete: Server is unwilling to perform (53) ==== I can delete /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif file before starting slapd but what is the proper way of deleting this database? Thank you -- Peter

11 years, 7 months

1
0
0 / 0

TLS/SSL issues

by Paul Stephens

Hi, Having problems getting my TLS setup working. Current setup: Ubuntu 11.10 (3.0.0-16 server) OpenLDAP 2.4.25 I have been using the instructions at: https://help.ubuntu.com/11.10/serverguide/C/openldap-server.html though to be honest I am relatively new to TLS and using certtool, etc. I have now been copy and pasting the commands given in case my typing is as good as it usually is. Unencrypted LDAP works fine including syncing with a slave and samba authentication (non-TLS that is!) It appears to be something to do with the self-signed certificate not being trusted and seems to be a common problem people run into. I have been researching it for a while but at this stage I’m kind of just trying randomly browsed suggestions, with most admittedly geared towards pervious OpenLDAP versions and not really assisting with my understanding of the problem in the first place. I’ll probably give away more information than I should below but at this stage I will just blow everything away and start again once I understand where I’m going wrong anyway. So when I try: # nutls-cli --print-cert -p 636 cabernet.burnet.edu.au Resolving 'cabernet.burnet.edu.au'... Connecting to '10.10.0.3:636'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject `O=Burnet Institute,CN=cabernet.burnet.edu.au', issuer `CN= cabernet.burnet.edu.au', RSA key 1024 bits, signed using RSA-SHA1, activated `2012-02-23 04:57:57 UTC', expires `2022-02-20 04:57:57 UTC', SHA-1 fingerprint `346ed1e006ce7975afbcaf81d58de886b25953de' -----BEGIN CERTIFICATE----- MIICzTCCAbWgAwIBAgIET0XHVTANBgkqhkiG9w0BAQUFADAhMR8wHQYDVQQDExZj YWJlcm5ldC5idXJuZXQuZWR1LmF1MB4XDTEyMDIyMzA0NTc1N1oXDTIyMDIyMDA0 NTc1N1owPDEZMBcGA1UEChMQQnVybmV0IEluc3RpdHV0ZTEfMB0GA1UEAxMWY2Fi ZXJuZXQuYnVybmV0LmVkdS5hdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA wwwwl9aNyiAsAktsYbWhS6ePMOIcE3pSt0tT4BG3CUu22/ER9iV9NTZ2JlPiduHr Tq7NBp6PCCz9jpH+k9LZcMwbH+3d1HXK7trKM+JZo4oWHW08Iy7FsW+zIxHVhbwr 2P1qxG7FrSOJ0pchYgVMkZ6UqMJKfKXlbdwdt28DqKcCAwEAAaN2MHQwDAYDVR0T AQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8BAf8EBQMDB6AAMB0G A1UdDgQWBBT3BkevTphmj4dd+D6NbwRSQWdlOzAfBgNVHSMEGDAWgBSeTWcMd+Ku cx3LyZwwmlVCqf4QhzANBgkqhkiG9w0BAQUFAAOCAQEAORZl+B7XZ+7ygXWKcAph 3pfwImm1SevJqmtDnzNz3XW7zm/8MKBtVjZsvS7l8/pxpGDThuop5RvQMZY7RwiS SCFo7QglnM+kGqAuqIIBPCiQSNP3cxBBCcjUC88Mzm34+iIZIzvabjHHD+/7bD2x Sd5pSJxH6zvyVbZcEwHgVtK6gBQ3r1fMFrgC6ggu21pS+J8lVCvTG4gvRx8VIVG8 BusdlMbtiOOz+MY9XrDIfjQ0vyE6y+lYy/SdFOcUCmfd+vH6aT/yl4sMVMUXXGo6 BrIkPLBzUjJzXJAyfMq0qiRKaxqLXloAvAsu/7uP25ldrIbjsHEBSfTR0d984BMW ow== -----END CERTIFICATE----- - Certificate[1] info: - subject `CN=cabernet.burnet.edu.au', issuer `CN=cabernet.burnet.edu.au', RSA key 2048 bits, signed using RSA-SHA1, activated `2012-02-23 04:54:42 UTC', expires `2013-02-22 04:54:42 UTC', SHA-1 fingerprint `d666459a5417a25adc7dbbf6f4bad5c6345166ee' -----BEGIN CERTIFICATE----- MIIDAzCCAeugAwIBAgIET0XGkjANBgkqhkiG9w0BAQUFADAhMR8wHQYDVQQDExZj YWJlcm5ldC5idXJuZXQuZWR1LmF1MB4XDTEyMDIyMzA0NTQ0MloXDTEzMDIyMjA0 NTQ0MlowITEfMB0GA1UEAxMWY2FiZXJuZXQuYnVybmV0LmVkdS5hdTCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAPSW4LRc/C0u9DcwA7twyZnKJblGkMt1 mRmoyZUnUu60bSmZB5ulf1IVICWg2Rdv9mfGoB4zmixLJINg6TPiHXpCw7ad2Ci9 hUx30BFpy4H0qOElV1ZPnA/hi2fNgFODB7TSMuV+EoNPosxWkufhYH0mfaWyfIFH ZlfJUPtF2Lg1U4nyDjVKq4QNyFM/Hzhk3M/kSlSwSIQbw2b4U6QaprVc31RKUPsp 9i44k+2eA5SMXGafCGyvH/3pprnWil4t+Snr4IBrv+w63T5Ip7JT1S//fSN48+0E vwTJbZp0+8MoHHbFeutJCh6Omwj/8+H2sKqftXVqMglqbv2WWMIV/V0CAwEAAaND MEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBSe TWcMd+Kucx3LyZwwmlVCqf4QhzANBgkqhkiG9w0BAQUFAAOCAQEAiFNzqT2C8gFw sSGA1OJ30yZPVRajvZgyJS4y4tdxOzfQtSKy1sZwCfFSb8z8Ejuj75WhLFvJ+8UV fpmmBwT/o83BbCDoI6eayt0lBqeEGcEciOtKsrds+Qa8rhywVdXcO+cdE5SgjtdL DsVHWXp9krYy7cDM2Fthidwz+TdifgMWjEMI8M/zO+51ceGRPpfOjlmFsRFW2aQp YJP/MaQEkxN2UgN+K4OXHJo7l/NcLVu+e34JKeRd/l7xfxnjfMxvoPXmxzCNOVd8 RAsWd3McOL4osTY5O5sQYnu5/L3Kbyqear88reVFfJwvYAp/UXy/ozVcebXo5M+p dNpyevLA2g== -----END CERTIFICATE----- - The hostname in the certificate matches 'cabernet.burnet.edu.au'. - Peer's certificate issuer is unknown - Peer's certificate is NOT trusted - Version: TLS1.2 - Key Exchange: RSA - Cipher: AES-128-CBC - MAC: SHA256 - Compression: NULL - Handshake was completed ******* LDAP search TLS test ****** # ldapsearch -ZZ -d -1 ldap_create ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_dump: buf=0x7ff66fe28680 ptr=0x7ff66fe28680 end=0x7ff66fe2869f len=31 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ber_scanf fmt ({) ber: ber_dump: buf=0x7ff66fe28680 ptr=0x7ff66fe28685 end=0x7ff66fe2869f len=26 0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1. 0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037 ber_flush2: 31 bytes to sd 3 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ldap_write: want=31, written=31 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ldap_result ld 0x7ff66fe1f160 msgid 1 wait4msg ld 0x7ff66fe1f160 msgid 1 (infinite timeout) wait4msg continue ld 0x7ff66fe1f160 msgid 1 all 1 ** ld 0x7ff66fe1f160 Connections: * host: localhost port: 389 (default) refcnt: 2 status: Connected last used: Thu Feb 23 16:54:28 2012 ** ld 0x7ff66fe1f160 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x7ff66fe1f160 request count 1 (abandoned 0) ** ld 0x7ff66fe1f160 Response Queue: Empty ld 0x7ff66fe1f160 response count 0 ldap_chkResponseList ld 0x7ff66fe1f160 msgid 1 all 1 ldap_chkResponseList returns ld 0x7ff66fe1f160 NULL ldap_int_select read1msg: ld 0x7ff66fe1f160 msgid 1 all 1 ber_get_next ldap_read: want=8, got=8 0000: 30 0c 02 01 01 78 07 0a 0....x.. ldap_read: want=6, got=6 0000: 01 00 04 00 04 00 ...... ber_get_next: tag 0x30 len 12 contents: ber_dump: buf=0x7ff66fe297e0 ptr=0x7ff66fe297e0 end=0x7ff66fe297ec len=12 0000: 02 01 01 78 07 0a 01 00 04 00 04 00 ...x........ read1msg: ld 0x7ff66fe1f160 msgid 1 message type extended-result ber_scanf fmt ({eAA) ber: ber_dump: buf=0x7ff66fe297e0 ptr=0x7ff66fe297e3 end=0x7ff66fe297ec len=9 0000: 78 07 0a 01 00 04 00 04 00 x........ read1msg: ld 0x7ff66fe1f160 0 new referrals read1msg: mark request completed, ld 0x7ff66fe1f160 msgid 1 request done: ld 0x7ff66fe1f160 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_extended_result ber_scanf fmt ({eAA) ber: ber_dump: buf=0x7ff66fe297e0 ptr=0x7ff66fe297e3 end=0x7ff66fe297ec len=9 0000: 78 07 0a 01 00 04 00 04 00 x........ ldap_parse_result ber_scanf fmt ({iAA) ber: ber_dump: buf=0x7ff66fe297e0 ptr=0x7ff66fe297e3 end=0x7ff66fe297ec len=9 0000: 78 07 0a 01 00 04 00 04 00 x........ ber_scanf fmt (}) ber: ber_dump: buf=0x7ff66fe297e0 ptr=0x7ff66fe297ec end=0x7ff66fe297ec len=0 ldap_msgfree tls_write: want=126, written=126 0000: 16 03 03 00 79 01 00 00 75 03 03 4f 45 d4 94 f1 ....y...u..OE... 0010: 7c 3e 41 05 6a 43 c7 96 05 77 9d f3 83 22 c7 c5 |>A.jC...w...".. 0020: d8 b0 06 7c 6f fe 70 b6 b4 fa 78 00 00 30 00 67 ...|o.p...x..0.g 0030: 00 33 00 45 00 6b 00 39 00 88 00 16 00 40 00 32 .3.E.k.9.....@.2 0040: 00 44 00 6a 00 38 00 87 00 13 00 66 00 3c 00 2f .D.j.8.....f.<./ 0050: 00 41 00 3d 00 35 00 84 00 0a 00 05 00 04 01 00 .A.=.5.......... 0060: 00 1c 00 09 00 03 02 00 01 ff 01 00 01 00 00 0d ................ 0070: 00 0c 00 0a 02 01 02 02 04 01 05 01 06 01 .............. tls_read: want=5, got=5 0000: 16 03 03 00 51 ....Q tls_read: want=81, got=81 0000: 02 00 00 4d 03 03 4f 45 d4 94 9e 56 0b 56 c2 c1 ...M..OE...V.V.. 0010: 6b 05 2b 45 e1 bd 0b 64 32 58 b7 0e 12 ad e2 99 k.+E...d2X...... 0020: bd 8e de c7 97 c5 20 0d ab 14 f0 0b 42 44 47 20 ...... .....BDG 0030: 95 67 22 45 74 ab 50 51 9f a8 b8 f1 d4 14 73 2e .g"Et.PQ......s. 0040: 9f 0d 61 6d 4d d1 a7 00 3c 00 00 05 ff 01 00 01 ..amM...<....... 0050: 00 . tls_read: want=5, got=5 0000: 16 03 03 05 e5 ..... tls_read: want=1509, got=1509 0000: 0b 00 05 e1 00 05 de 00 02 d1 30 82 02 cd 30 82 ..........0...0. 0010: 01 b5 a0 03 02 01 02 02 04 4f 45 c7 55 30 0d 06 .........OE.U0.. 0020: 09 2a 86 48 86 f7 0d 01 01 05 05 00 30 21 31 1f .*.H........0!1. 0030: 30 1d 06 03 55 04 03 13 16 63 61 62 65 72 6e 65 0...U....caberne 0040: 74 2e 62 75 72 6e 65 74 2e 65 64 75 2e 61 75 30 t.burnet.edu.au0 0050: 1e 17 0d 31 32 30 32 32 33 30 34 35 37 35 37 5a ...120223045757Z 0060: 17 0d 32 32 30 32 32 30 30 34 35 37 35 37 5a 30 ..220220045757Z0 0070: 3c 31 19 30 17 06 03 55 04 0a 13 10 42 75 72 6e <1.0...U....Burn 0080: 65 74 20 49 6e 73 74 69 74 75 74 65 31 1f 30 1d et Institute1.0. 0090: 06 03 55 04 03 13 16 63 61 62 65 72 6e 65 74 2e ..U....cabernet. 00a0: 62 75 72 6e 65 74 2e 65 64 75 2e 61 75 30 81 9f burnet.edu.au0.. 00b0: 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 0...*.H......... 00c0: 81 8d 00 30 81 89 02 81 81 00 c3 0c 30 97 d6 8d ...0........0... 00d0: ca 20 2c 02 4b 6c 61 b5 a1 4b a7 8f 30 e2 1c 13 . ,.Kla..K..0... 00e0: 7a 52 b7 4b 53 e0 11 b7 09 4b b6 db f1 11 f6 25 zR.KS....K.....% 00f0: 7d 35 36 76 26 53 e2 76 e1 eb 4e ae cd 06 9e 8f }56v&S.v..N..... 0100: 08 2c fd 8e 91 fe 93 d2 d9 70 cc 1b 1f ed dd d4 .,.......p...... 0110: 75 ca ee da ca 33 e2 59 a3 8a 16 1d 6d 3c 23 2e u....3.Y....m<#. 0120: c5 b1 6f b3 23 11 d5 85 bc 2b d8 fd 6a c4 6e c5 ..o.#....+..j.n. 0130: ad 23 89 d2 97 21 62 05 4c 91 9e 94 a8 c2 4a 7c .#...!b.L.....J| 0140: a5 e5 6d dc 1d b7 6f 03 a8 a7 02 03 01 00 01 a3 ..m...o......... 0150: 76 30 74 30 0c 06 03 55 1d 13 01 01 ff 04 02 30 v0t0...U.......0 0160: 00 30 13 06 03 55 1d 25 04 0c 30 0a 06 08 2b 06 .0...U.%..0...+. 0170: 01 05 05 07 03 01 30 0f 06 03 55 1d 0f 01 01 ff ......0...U..... 0180: 04 05 03 03 07 a0 00 30 1d 06 03 55 1d 0e 04 16 .......0...U.... 0190: 04 14 f7 06 47 af 4e 98 66 8f 87 5d f8 3e 8d 6f ....G.N.f..].>.o 01a0: 04 52 41 67 65 3b 30 1f 06 03 55 1d 23 04 18 30 .RAge;0...U.#..0 01b0: 16 80 14 9e 4d 67 0c 77 e2 ae 73 1d cb c9 9c 30 ....Mg.w..s....0 01c0: 9a 55 42 a9 fe 10 87 30 0d 06 09 2a 86 48 86 f7 .UB....0...*.H.. 01d0: 0d 01 01 05 05 00 03 82 01 01 00 39 16 65 f8 1e ...........9.e.. 01e0: d7 67 ee f2 81 75 8a 70 0a 61 de 97 f0 22 69 b5 .g...u.p.a..."i. 01f0: 49 eb c9 aa 6b 43 9f 33 73 dd 75 bb ce 6f fc 30 I...kC.3s.u..o.0 0200: a0 6d 56 36 6c bd 2e e5 f3 fa 71 a4 60 d3 86 ea .mV6l.....q.`... 0210: 29 e5 1b d0 31 96 3b 47 08 92 48 21 68 ed 08 25 )...1.;G..H!h..% 0220: 9c cf a4 1a a0 2e a8 82 01 3c 28 90 48 d3 f7 73 .........<(.H..s 0230: 10 41 09 c8 d4 0b cf 0c ce 6d f8 fa 22 19 23 3b .A.......m..".#; 0240: da 6e 31 c7 0f ef fb 6c 3d b1 49 de 69 48 9c 47 .n1....l=.I.iH.G 0250: eb 3b f2 55 b6 5c 13 01 e0 56 d2 ba 80 14 37 af .;.U.\...V....7. 0260: 57 cc 16 b8 02 ea 08 2e db 5a 52 f8 9f 25 54 2b W........ZR..%T+ 0270: d3 1b 88 2f 47 1f 15 21 51 bc 06 eb 1d 94 c6 ed .../G..!Q....... 0280: 88 e3 b3 f8 c6 3d 5e b0 c8 7e 34 34 bf 21 3a cb .....=^..~44.!:. 0290: e9 58 cb f4 9d 14 e7 14 0a 67 dd fa f1 fa 69 3f .X.......g....i? 02a0: f2 97 8b 0c 54 c5 17 5c 6a 3a 06 b2 24 3c b0 73 ....T..\j:..$<.s 02b0: 52 32 73 5c 90 32 7c ca b4 aa 24 4a 6b 1a 8b 5e R2s\.2|...$Jk..^ 02c0: 5a 00 bc 0b 2e ff bb 8f db 99 5d ac 86 e3 b0 71 Z.........]....q 02d0: 01 49 f4 d1 d1 df 7c e0 13 16 a3 00 03 07 30 82 .I....|.......0. 02e0: 03 03 30 82 01 eb a0 03 02 01 02 02 04 4f 45 c6 ..0..........OE. 02f0: 92 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 .0...*.H........ 0300: 30 21 31 1f 30 1d 06 03 55 04 03 13 16 63 61 62 0!1.0...U....cab 0310: 65 72 6e 65 74 2e 62 75 72 6e 65 74 2e 65 64 75 ernet.burnet.edu 0320: 2e 61 75 30 1e 17 0d 31 32 30 32 32 33 30 34 35 .au0...120223045 0330: 34 34 32 5a 17 0d 31 33 30 32 32 32 30 34 35 34 442Z..1302220454 0340: 34 32 5a 30 21 31 1f 30 1d 06 03 55 04 03 13 16 42Z0!1.0...U.... 0350: 63 61 62 65 72 6e 65 74 2e 62 75 72 6e 65 74 2e cabernet.burnet. 0360: 65 64 75 2e 61 75 30 82 01 22 30 0d 06 09 2a 86 edu.au0.."0...*. 0370: 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 H.............0. 0380: 01 0a 02 82 01 01 00 f4 96 e0 b4 5c fc 2d 2e f4 ...........\.-.. 0390: 37 30 03 bb 70 c9 99 ca 25 b9 46 90 cb 75 99 19 70..p...%.F..u.. 03a0: a8 c9 95 27 52 ee b4 6d 29 99 07 9b a5 7f 52 15 ...'R..m).....R. 03b0: 20 25 a0 d9 17 6f f6 67 c6 a0 1e 33 9a 2c 4b 24 %...o.g...3.,K$ 03c0: 83 60 e9 33 e2 1d 7a 42 c3 b6 9d d8 28 bd 85 4c .`.3..zB....(..L 03d0: 77 d0 11 69 cb 81 f4 a8 e1 25 57 56 4f 9c 0f e1 w..i.....%WVO... 03e0: 8b 67 cd 80 53 83 07 b4 d2 32 e5 7e 12 83 4f a2 .g..S....2.~..O. 03f0: cc 56 92 e7 e1 60 7d 26 7d a5 b2 7c 81 47 66 57 .V...`}&}..|.GfW 0400: c9 50 fb 45 d8 b8 35 53 89 f2 0e 35 4a ab 84 0d .P.E..5S...5J... 0410: c8 53 3f 1f 38 64 dc cf e4 4a 54 b0 48 84 1b c3 .S?.8d...JT.H... 0420: 66 f8 53 a4 1a a6 b5 5c df 54 4a 50 fb 29 f6 2e f.S....\.TJP.).. 0430: 38 93 ed 9e 03 94 8c 5c 66 9f 08 6c af 1f fd e9 8......\f..l.... 0440: a6 b9 d6 8a 5e 2d f9 29 eb e0 80 6b bf ec 3a dd ....^-.)...k..:. 0450: 3e 48 a7 b2 53 d5 2f ff 7d 23 78 f3 ed 04 bf 04 >H..S./.}#x..... 0460: c9 6d 9a 74 fb c3 28 1c 76 c5 7a eb 49 0a 1e 8e .m.t..(.v.z.I... 0470: 9b 08 ff f3 e1 f6 b0 aa 9f b5 75 6a 32 09 6a 6e ..........uj2.jn 0480: fd 96 58 c2 15 fd 5d 02 03 01 00 01 a3 43 30 41 ..X...]......C0A 0490: 30 0f 06 03 55 1d 13 01 01 ff 04 05 30 03 01 01 0...U.......0... 04a0: ff 30 0f 06 03 55 1d 0f 01 01 ff 04 05 03 03 07 .0...U.......... 04b0: 04 00 30 1d 06 03 55 1d 0e 04 16 04 14 9e 4d 67 ..0...U.......Mg 04c0: 0c 77 e2 ae 73 1d cb c9 9c 30 9a 55 42 a9 fe 10 .w..s....0.UB... 04d0: 87 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 .0...*.H........ 04e0: 03 82 01 01 00 88 53 73 a9 3d 82 f2 01 70 b1 21 ......Ss.=...p.! 04f0: 80 d4 e2 77 d3 26 4f 55 16 a3 bd 98 32 25 2e 32 ...w.&OU....2%.2 0500: e2 d7 71 3b 37 d0 b5 22 b2 d6 c6 70 09 f1 52 6f ..q;7.."...p..Ro 0510: cc fc 12 3b a3 ef 95 a1 2c 5b c9 fb c5 15 7e 99 ...;....,[....~. 0520: a6 07 04 ff a3 cd c1 6c 20 e8 23 a7 9a ca dd 25 .......l .#....% 0530: 06 a7 84 19 c1 1c 88 eb 4a b2 b7 6c f9 06 bc ae ........J..l.... 0540: 1c b0 55 d5 dc 3b e7 1d 13 94 a0 8e d7 4b 0e c5 ..U..;.......K.. 0550: 47 59 7a 7d 92 b6 32 ed c0 cc d8 5b 61 89 dc 33 GYz}..2....[a..3 0560: f9 37 62 7e 03 16 8c 43 08 f0 cf f3 3b ee 75 71 .7b~...C....;.uq 0570: e1 91 3e 97 ce 8e 59 85 b1 11 56 d9 a4 29 60 93 ..>...Y...V..)`. 0580: ff 31 a4 04 93 13 76 52 03 7e 2b 83 97 1c 9a 3b .1....vR.~+....; 0590: 97 f3 5c 2d 5b be 7b 7e 09 29 e4 5d fe 5e f1 7f ..\-[.{~.).].^.. 05a0: 19 e3 7c cc 6f a0 f5 e6 c7 30 8d 39 57 7c 44 0b ..|.o....0.9W|D. 05b0: 16 77 73 1c 38 be 28 b1 36 39 3b 9b 10 62 7b b9 .ws.8.(.69;..b{. 05c0: fc bd ca 6f 2a 9e 6a bf 3c ad e5 45 7c 9c 2f 60 ...o*.j.<..E|./` 05d0: 0a 7f 51 7c bf a3 35 5c 79 b5 e8 e4 cf a9 74 da ..Q|..5\y.....t. 05e0: 72 7a f2 c0 da rz... tls_read: want=5, got=5 0000: 16 03 03 00 04 ..... tls_read: want=4, got=4 0000: 0e 00 00 00 .... tls_write: want=139, written=139 0000: 16 03 03 00 86 10 00 00 82 00 80 27 8b cb 55 4b ...........'..UK 0010: 5e 9f 1c 8f e0 f6 40 3f b8 2e c7 39 58 54 2a a5 ^.....@?...9XT*. 0020: c7 02 a3 07 b4 20 e0 b4 cd 04 c9 de 4e 43 71 ef ..... ......NCq. 0030: e2 f4 1e ae f0 f4 fb 97 cb 5f e2 d9 58 28 f3 e4 ........._..X(.. 0040: 98 ee 1f 75 7f b9 50 e0 79 7a 85 1a 45 99 7c a2 ...u..P.yz..E.|. 0050: 9f d4 d6 02 21 b8 b8 e5 0b 00 d4 87 36 8f 16 d2 ....!.......6... 0060: f1 92 fb 6e 34 06 a9 eb 2b 07 6d be 5e 6a 8f 13 ...n4...+.m.^j.. 0070: d2 1a b5 76 51 65 b4 bb c9 54 da 9c b8 eb 22 1c ...vQe...T....". 0080: 24 b0 7e 4c a6 d8 9c 3e 1d ec 97 $.~L...>... tls_write: want=6, written=6 0000: 14 03 03 00 01 01 ...... tls_write: want=149, written=149 0000: 16 03 03 00 90 42 db 5e 66 fe 67 8d 28 5c 2b 4e .....B.^f.g.(\+N 0010: 30 83 de f3 e5 9b 72 1c ad 0a 47 fc bb e5 00 86 0.....r...G..... 0020: 15 38 99 7e 65 32 7a 83 dd d3 38 da 1f 02 19 90 .8.~e2z...8..... 0030: ce 52 04 ca 19 f9 23 64 eb 95 32 f7 99 1a e6 70 .R....#d..2....p 0040: 87 91 8d fd de 91 99 34 15 24 95 dc 9b 18 6e 2c .......4.$....n, 0050: d0 61 08 5f 8a d6 67 ef 07 0d ac f7 97 f0 ee ec .a._..g......... 0060: 06 c5 34 27 55 af 0e c2 41 df df 5f 2a 3f 70 e7 ..4'U...A.._*?p. 0070: 6a 15 e8 d2 b3 30 8e d2 b7 02 1d 41 87 c0 3c 09 j....0.....A..<. 0080: 2c 3e 74 aa 10 b1 5a 89 22 73 16 ff c4 99 0b d4 ,>t...Z."s...... 0090: c8 30 5f 78 3a .0_x: tls_read: want=5, got=5 0000: 14 03 03 00 01 ..... tls_read: want=1, got=1 0000: 01 . tls_read: want=5, got=5 0000: 16 03 03 01 20 .... tls_read: want=288, got=288 0000: 25 02 9a a1 d7 69 40 00 ba 2b 75 2c 4e 7b 82 21 %....i@..+u,N{.! 0010: f9 0d 2e 55 1b 3f 34 c9 5e 59 43 7f 6c d2 c2 52 ...U.?4.^YC.l..R 0020: 5d bf 44 e9 93 65 33 bc a8 9b f8 b7 d3 f2 f6 15 ].D..e3......... 0030: b1 e9 58 3a 16 c3 22 f9 9b 0c ff 4f 19 d0 cc f9 ..X:.."....O.... 0040: cd 2d 76 15 48 20 57 c5 c0 6b cd 2c 4a 5b b1 9d .-v.H W..k.,J[.. 0050: 1b d3 9b bf 16 c4 36 ee ca 2e af 23 7c b7 e7 e1 ......6....#|... 0060: f9 bf 46 b6 06 12 fe fe ab 3d 34 5e c7 9c 4a 52 ..F......=4^..JR 0070: 99 70 70 0f d1 8d fd 55 bb f9 f5 2b 56 dc 5b 00 .pp....U...+V.[. 0080: f2 75 f3 74 89 65 91 a5 5f 70 09 5b 09 c0 e8 48 .u.t.e.._p.[...H 0090: 4a db f6 15 14 4a 41 fe 14 09 73 cf fa 5b 1c 7c J....JA...s..[.| 00a0: 68 82 fd 1d da 49 2d 12 83 b0 67 15 56 7c f8 ee h....I-...g.V|.. 00b0: 75 08 7a 3d 1a a6 87 aa bc 7d ff b4 71 43 93 8c u.z=.....}..qC.. 00c0: b4 c6 3e a0 5b 3b 10 e9 16 62 b0 dc cb a8 08 77 ..>.[;...b.....w 00d0: d0 51 31 ed 8b 05 62 1f 3f a1 9d 45 ff d8 3f ba .Q1...b.?..E..?. 00e0: ae a1 d6 ac 29 e6 f8 75 87 33 8e a7 19 9f 69 ec ....)..u.3....i. 00f0: fd d5 49 20 4e 09 aa 3d da c4 50 a5 0d 50 0b f9 ..I N..=..P..P.. 0100: c1 2a b9 bd 71 6a 5a 6e e7 01 0c df 1c 44 33 34 .*..qjZn.....D34 0110: 6e ac e6 db 1a 7d ef 10 5e 68 d3 4b cc 56 59 01 n....}..^h.K.VY. TLS: peer cert untrusted or revoked (0x42) TLS: can't connect: (unknown error code). ldap_err2string ldap_start_tls: Connect error (-11) additional info: (unknown error code) I also get quite a few these errors in the syslog, though they don’t appear to be coincide with my manual connection attempts: Feb 23 16:20:41 cabernet slapd[9024]: connection_read(25): no connection! Feb 23 16:20:41 cabernet slapd[9024]: <= bdb_equality_candidates: (objectClass) not indexed Please let me know if there is anything else you want and thanks in advance for any suggestions Cheers Paul

11 years, 7 months

3
2
0 / 0

Re: alias entries across database bounds, allowed if DBs are "subordinate"?

by Judd Maltin

On Fri, Feb 24, 2012 at 11:47 AM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Thursday, February 23, 2012 5:04 PM -0800 Howard Chu <hyc(a)symas.com> > wrote: > >> Judd Maltin wrote: >>> >>> Hey folks, >>> >>> On the same slapd server, I have two databases with different suffixes. >>> >>> I'd like to create an alias entry in one database and suffix to return >>> an entry from the other database and suffix. >>> >>> Would this be possible if the second database were subordinate to the >>> other? Or, because it does not share namingContext by being in the >>> same suffix, would it fail? >>> >>> Otherwise I'm going to setup another slapd and use back-ldap/meta to >>> proxy what I need. >> >> >> No, aliases cannot cross DB boundaries, regardless of subordinate. > > > Any reason why you don't make it all a single DB? > > --Quanah > Thanks for the responses, guys. I inherited the existing and will be replacing with one DB. I'm now slapcatting the DBs and loading into a single DB as POC. -judd -- Judd Maltin T: 917-882-1270 F: 501-694-7809 A loving heart is never wrong.

11 years, 7 months

1
0
0 / 0

OpenLDAP training Europe

by Pieter Baele

Any recommendations for OpenLDAP traing going further then the basics? location: Belgium, France, Germany or UK Sincerely, PieterB

11 years, 7 months

2
1
0 / 0

alias entries across database bounds, allowed if DBs are "subordinate"?

by Judd Maltin

Hey folks, On the same slapd server, I have two databases with different suffixes. I'd like to create an alias entry in one database and suffix to return an entry from the other database and suffix. Would this be possible if the second database were subordinate to the other? Or, because it does not share namingContext by being in the same suffix, would it fail? Otherwise I'm going to setup another slapd and use back-ldap/meta to proxy what I need. Thanks! -judd -- Judd Maltin T: 917-882-1270 F: 501-694-7809 A loving heart is never wrong.

11 years, 7 months

3
2
0 / 0

bdb to hdb conversion

by btb＠bitrate.net

i've just converted an existing database/directory from bdb to hdb. it appears to have worked, and all seems to be in order, but is there something i can do to demonstrate empirically that it is in fact hdb now?

11 years, 7 months

2
2
0 / 0

Re: Howto implement RBAC with OU's and posixGroups

by Fred van Zwieten

What I mean with "this" in "in AD this is possible" is the fact that you can assign group membership to OU membership (When user A is member of OU B, user A will become member of group C". Afaik this is not possible with OpenLDAP. If it is, I would really like to know how. My only bet is with dynamic groups/list, but I have no idea how. Fred 2012/2/23 Buchan Milne <bgmilne(a)staff.telkomsa.net> > On Wednesday, 22 February 2012 11:22:55 Fred van Zwieten wrote: > > Hi all, > > > > warning: openldap newbie.. > > > > is it possible to have a person put into an OU and, because of this, will > > become member of some group in such a way that this group shows up in > linux > > using "id". This to implement some form of RBAC. I found GroupofMembers, > > but that has nothing to do with OU's. Also, it seems posixGroup and > > groupOfMembers objecttypes are no longer allowed together because the are > > both STRUCTURAL. > > Not in nis.schema, but in rfc2307bis.schema, posixGroup is not structural. > > > In AD this is possible. > > It is possible in OpenLDAP too. Just now with nis.schema. Most LDAP clients > support rfc2307bis. > > Regards, > Buchan >

11 years, 7 months

2
1
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2012