openldap-technical April 2012

openldap-technical@openldap.org

76 participants
80 discussions

memberof overlay
by Marvin Mundry 20 Apr '12

20 Apr '12

Hello everybody, i am running SLES 11.2 x64 with slapd 2.4.30 obtained from this repository: http://download.opensuse.org/repositories/home:/meikestone/SLE_11_SP2/ I am experiencing a problem that should have been solved in 2.4.26: Fixed slapo-memberof with accesslog (ITS#6329,ITS#6766,ITS#6915) (http://www.openldap.org/software/release/changes.html) i am running a master with multiple slaves, when adding a user to a group the memberof overlay updates the memberof attribute of the user on the master. the modification of the memberof attribute neither appears in the accesslog nor it gets replicated on the slaves. any ideas? best regards, marvin

2 3

cannot login using ldap user credential
by stefano malini 20 Apr '12

20 Apr '12

Hi, I installed and configured an ldap server on debian squeeze and i've a problem trying the login using ldap user credential. nslcd debug shows "user not found". using getent passwd i can see every user and also ldap users but i don't understand why i can't login. Could you help me please? Thanks

3 5

Distribution List in Outlook
by Krisztián Bielik 19 Apr '12

19 Apr '12

Running Openldap 2.4.30, with Berkeley DB I'd like to create an address book which is usable under Outlook 2007. There are no problems with single contacts, but regarding distribution lists i wasn't able to found any working solution. Checked back all the mailing list, also searched on internet, but there was only a few threads about this subject, without solution. Every tries(groupOfNames, proxyAddresses etc.) had the same results: Outlooks sees groups I created, but no addresses are associated with those groups. Any help would be appreciated. Thank you, Krisztian ______________________________________ Take a green step today. Think before you print. ********************************NOTICE************************************* This transmittal and/or attachments have been issued by Agility. The information contained here within may be privileged or confidential. If you are not the intended recipient, you are hereby notified that you have received this transmittal in error; any review, dissemination, distribution or copying of this transmittal is strictly prohibited. If you have received this transmittal and/or attachments in error, please notify us immediately by reply or by telephone (Tel. +965-1809-222) and immediately delete this message and all its attachments.

1 0

Distribution List on Outlook
by Krisztián Bielik 19 Apr '12

19 Apr '12

1 0

Add 'EQUALITY' to an existing attribute definition
by RICHARDSON Matt (SPARQ) 18 Apr '12

18 Apr '12

Hello all, I've got a problem with a user-defined attribute. The schema was written locally and used in a 389-DS directory. I made the necessary changes so that OpenLDAP 2.4.23-20.el6 could use it (attributeTypes -> olcAtrributeTypes, etc.). There is an attribute that needs to be added multiple times with different values. Under 389, this worked: olcAttributeTypes: {0}(1.3.6...1000 NAME 'x-myGroup' DESC 'My Group' SYNTAX 1.3...1.15 X-ORIGIN 'user defined') It works for adding one 'x-myGroup' attribute to an entry. However, if I try to add a second I get: Ldap_modify: Inappropriate matching (18) additional info: modify/add: x-myGroup: no equality matching rule The syntax specifies it's a directory string type, but adding 'EQUALITY caseIgnoreMatch' to the definition causes slapd to crash when I run ldapmodify to add an x-myGroup attribute to an existing entry. This seemed to be similar to this issue http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5540 , so I did a slapcat, deleted the files in /var/lib/ldap/ and restarted slapd. Loading the ldif with ldapadd caused slapd to crash again. Removing the EQUALITY statement from the attribute definition allowed me to load the ldif. If someone could point me in the right direction, I would greatly appreciate it. Matt ************************************************************************************************** This email message (including any file attachments transmitted with it) is for the sole use of the intended recipient(s) and may contain confidential and legally privileged information. Any unauthorised review, use, alteration, disclosure or distribution of this email (including any attachments) by an unintended recipient is prohibited. If you have received this email in error, please notify the sender by return email and destroy all copies of the original message. Any confidential or legal professional privilege is not waived or lost by any mistaken delivery of the email. SPARQ Solutions accepts no responsibility for the content of any email which is sent by an employee which is of a personal nature. Sender Details: SPARQ Solutions PO Box 15760 City East, Brisbane QLD Australia 4002 +61 7 4931 2222 SPARQ Solutions policy is to not send unsolicited electronic messages. Suspected breaches of this policy can be reported by replying to this message including the original message and the word "UNSUBSCRIBE" in the subject. **************************************************************************************************

1 1

RE24 testing call #2 (2.4.31)
by Quanah Gibson-Mount 18 Apr '12

18 Apr '12

If you know how to build OpenLDAP manually, and would like to participate in testing the next set of code for the 2.4.31 release, please do so. Generally, get the code for RE24: <http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=snapshot;h=refs/h…> Configure & build. Execute the test suite (via make test) after it is built. Thanks! --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

7 18

RE: ldapd vs. slapd
by Richards, Toby 18 Apr '12

18 Apr '12

I meant in terms of the LDIF file: objectClass: top objectClass: account objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: organizationalPerson objectClass: inetOrgPerson The above doesn't work. It says that top/account isn't a valid chain. -Toby -----Original Message----- From: Kline, Sara [mailto:SKline@tnsi.com] Sent: Tuesday, April 17, 2012 8:45 AM To: Richards, Toby Subject: RE: ldapd vs. slapd 1. This is the order mine are in, you can ignore solaris and DUA as those are for the solaris boxes, also you can ignore policy that is for the password policy overlay. include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/DUAConfigProfile.schema include /etc/openldap/schema/solaris.schema 2. What do you have in your slapd.conf? TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /etc/pki/tls/certs/slapd-cert.pem TLSCertificateKeyFile /etc/pki/tls/certs/slapd-key.pem TLSCACertificateFile /etc/pki/tls/certs/slapd-cert.pem TLSVerifyClient never security update_ssf=1 update_ssf=112 simple_bind=64 Thanks, Sara Kline -----Original Message----- From: openldap-technical-bounces(a)OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Richards, Toby Sent: Tuesday, April 17, 2012 8:25 AM To: Brandon Hume; openldap-technical(a)openldap.org Subject: RE: ldapd vs. slapd OK got it. I realized that ldapd is a different product after some more research this morning. I've got slapd running & responding; however: 1. I cannot figure out the correct order of objectClass statements to reach inetOrgPerson. I do have the core, cosine, nis, and inetorgperson schemas included in slapd.conf. 2. slapd won't run on port 636 even though I put "TLS_CACERT /path/to/cert.crt" and "URI ldaps://toby.org.org" into ldap.conf -Toby -----Original Message----- From: openldap-technical-bounces(a)OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Brandon Hume Sent: Tuesday, April 17, 2012 7:58 AM To: openldap-technical(a)openldap.org Subject: Re: ldapd vs. slapd On 04/16/12 11:02 PM, Richards, Toby wrote: > For those of you wondering, I'm running OpenBSD 5.0. openldap-server-2.4.25p0.tgz (depends on: openldap-client-2.4.25.tgz (depends on cyrus-sasl-2.1.23p7-ldap.tgz)). Typing "ldapd" gets the appropriate tcp/ip ports responding. Typing "/etc/rc.d/slapd start" does something, but doesn't give me responses on 349 or 636. "ldapd" is a service that comes with OpenBSD, and it definitely is not OpenLDAP. It will start and sit on the same ports, however, making it impossible for you to start slapd. So don't start ldapd. Kill it if it's already running, then you might be able to start OpenLDAP. Also, this might have been a typo, but the non-SSL port for LDAP is 389/tcp, not 349. This e-mail message is for the sole use of the intended recipient(s)and may contain confidential and privileged information of Transaction Network Services. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

4 10

overlays and frontend database
by Jan Vcelak 18 Apr '12

18 Apr '12

Hello list. I have some questions about defining overlays on the frontend database. Documentation (manual pages) is not very consistent about it: slapd.overlays | Most of the overlays are only allowed to be configured on | individual databases, but some may also be configured | globally. slapd.conf | Note that all of the database's regular settings should be | configured before any overlay settings. slapd-config | Settings in the frontend database are inherited by the other | databases, unless they are explicitly overridden in a | specific database. | Overlays must be configured as child entries of a specific | database. FAQ | Starting from OpenLDAP 2.3 they can be stacked on the | frontend as well; this means that they can be executed after | a request is parsed and validated, but right before the | appropriate database is selected. Are there are some overlays that can be applied on the fronted database (globally)? What about the inheritance as mentioned in slapd-config? (Maybe I didn't understand this correctly.) >From what I have tried, enabling an overlay on fronted database makes slapd to segfault due to accessing a null pointer or due to a heap overflow. It seems that there are no verifications of overlay settings, because both slapadd and ldapmodify succeed when enabling the void configuration. Please, what is the expected behavior? Regards, Jan

2 2

Authenticate a Samba box to a pre-existing LDAP server
by Marcelo Pereira 17 Apr '12

17 Apr '12

Hello, I have been reading some documentation on how to setup a Samba+LDAP environment, but they are all considering that I'm setting up a "new" LDAP server on the same machine. I want to set up a Samba server (which is my server) but I would like to use an external LDAP server (which I don't have any access other than just authenticate myself) to authenticate the users in my Samba box. The LDAP server is up and running (I can't do anything there). I just need to connect my Samba box to this LDAP server in order to authenticate the users. Would you please suggest the right documentation so I could read it?? I will appreciate any help on this regard!! Thanks, Marcelo

1 0

ldapd vs. slapd
by Richards, Toby 17 Apr '12

17 Apr '12

I've been attempting to get an OpenLDAP server running all day, and I've been reading official documentation, tutorials, and anything else relevant on Google. I have some questions: 1. What is the difference between ldapd & slapd (and commands such as ldapadd & slapdadd)? Slapd doesn't seem to respond on LDAP ports, but ldapd does. 2. When using commands & configuring ldap.conf, can I use an IP address instead of an FQDN for the host URI? 3. Do self-signed certificates break ldapadd? 4. I'm running with an SSL certificate, but no TLS. I commonly get the error "Confidentiality Required." The -Z option is for TLS. How do I tell ldapadd that I'm using SSL only? I tried with -Hldaps://hostname:636, but then I get "ldap_sasl_bind(SIMPLE): Can't connect to LDAP server" (even if I use the -x option). I know that the ldap server is running because when ldapd is running, I can connect with external tools such as jxplorer or ldap-at (but trying to make changes to my database will crash both of those utilities). Respectfully Submitted, R. Toby Richards Network Administrator Superior Court of California In and For the County of San Luis Obispo (805) 781-4150

4 7

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2012