openldap-technical May 2012

openldap-technical@openldap.org

76 participants
101 discussions

Syncrepl partial replication based on attribute problem
by Jeffrey Crawford 02 Jun '12

02 Jun '12

Hello, I had thought I tested this beforehand but I seem to be able to reliably reproduce the following situation: We have an installation where the provider server has information that is replicated to downstream replicas using the syncrepl protocol. The account used to replicate is allowed to see records where certain attributes meet specific values, a silly example is an attribute is set dn: uid=somerecord,ou=people,dc=ucsc,dc=edu replicateMe: TRUE ... When an account has that attribute set it then replicates to the downstream replica, however if later we set replicateMe to FALSE so that the account used for replication can no longer see the entry, it seems to be orphaned and is not removed in the replica. We are using OpenLDAP 2.4.26 and I have the syncprov sessionlog set to 500 and the replica is set to refreshAndPersist. Is this something that is simply not supported? or would a case like this be expected to work and I've either got a configuration issue or a bug? Thanks Jeffrey

3 7

dsaOperation attributes, relax control and syncrepl
by Clément OUDOT 01 Jun '12

01 Jun '12

Hello, an attribute declared 'dsaOperation' in the schema is not replicated with Syncrepl, this behavior was coded some years ago and it seems right. Today, I updated such attribute (pwdFailureTime) with the relax control and noticed the modification has been replicated. I just wanted to know if this behavior was expected with the relax control, or if this is an issue (the test was done with OpenLDAP 2.4.31). Thanks, Clément OUDOT.

2 3

About not enoguh space - unable to allocate memory for transaction detail
by emiliano ricci 31 May '12

31 May '12

Hello. I have this error: unable to allocate memory for transaction detail - not enoguh space when I try to modify an entry. Any help? Regards Emiliano

1 0

shadowMax
by zingalo 31 May '12

31 May '12

good morning, I've a question about password managing in ldap with samba. I've seen that samba schema's attributes don't have effect on password managing. Only shadowAccount's attribute do it. So i changed shadowMax to "0" for a user and at the next login it tells me "You are required to change your password immediately (password aged) LDAP administrator password: " After entering ldap admin's password it tells me "Authentication token manipulation error". Why? the admin'password is correct, am sure Thanks

2 3

Re: ~*~ [spam] Re: OpenLDAP freeze
by Quanah Gibson-Mount 30 May '12

30 May '12

--On Wednesday, May 30, 2012 7:35 PM +0300 Ioan Indreias <indreias(a)gmail.com> wrote: >> One other thing I would note is that you have failed to provide your >> OpenLDAP configuration (either slapd.conf for a slapcat -n 0 of your >> cn=config DB). > > Actually I have provided the slapd.conf file in my first mail - please > find attached what I have sent at that time. Please keep replies on the list. I looked back at the start of the thread and didn't see any attachments. In any case, I have the following comments and questions. Comments: a) Why are you setting serverID? You aren't doing MMR, or if you are, you have not configured it correctly (There is no mirrormode line set). b) Get rid of the filters=... line in syncrepl config. Just use the default. c) Your attrs=... line in the syncrepl config is invalid. Remove it and just use the default. Questions: a) What kind of filesystem is /storage, where you are storing the databases? b) if you remove the "logold" line from your accesslog configuration, do the deadlocks still occur? --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

Attributes host and personal (mail, telephone...)
by Carlos Barrero Martínez 30 May '12

30 May '12

Good afternoon to all! I am a newbie and I'm installing and configuring my first ldap server for my company. I want to use LDAP as an authentication method on my intranet ( Drupal) and as authentication for ssh. I have read that's what I need to have the attribute 'host' but this attribute is incompatible with 'person', so I can not have fields (name, surname, phone, email) and host. Can you help solve it? Thank you very much!

2 1

Very quick pointer
by Tim Watts 30 May '12

30 May '12

Hi :) My LDAP skillz are (very) slowly coming along - thanks to good folk here, I think I have figured out ACLs and I have managed to get rwm/relay to emulate an old tree structure (well enough) whilst being able to design a better structure for our department. My next question is just a request for a pointer. My understanding of LDAP authentication is very limited. What I would like to do is a 2 phase transition to kerberos (which I do understand): 1) Rig OpenLDAP so all password changes get sent to the kerberos server but do not use it for authentication. In the meantime we will continue authenticate with the SSHA1 hashes in the user's LDAP entry. 2) After some time (months) when everyone has eventually done a password change, the Kerberos server will be well enough in sync. Now I would like to switch OpenLDAP to using kerberos on the backend (ie for binds etc) and I will purge the SSHA1 hashes. ================== I most interested in some pointers for stage 1) is someone could be kind enough to help me out - is there a particular name for this mechanism, or a module that handles this kind of stuff? ================== 2) I think I can probably google for myslef (keywords SASL and/or GSSAPI and/or LDAP+Kerberos. I've had a skim but did not notice an obvious way to handle 1) without 2) I apologise if it's a dumb question :-o Many thanks in advance :) Cheers Tim -- Tim Watts Personal Blog: http://www.dionic.net/tim/

6 11

Re: Attributes host and personal (mail, telephone...)
by Carlos Barrero Martínez 30 May '12

30 May '12

Thank you for your answer. I'm reading the book published by O'Reilly, LDAP System Administration. However, the world of LDAP is very large and used for many tasks. I am creating my content tree and I can define it in many ways. And I know how to do it or not. Only that. I'm not that person who prefers to ask to learn. Still, thanks! 2012/5/30 Turbo Fredriksson <turbo(a)bayour.com> > On Wed, 30 May 2012 16:58:54 +0200, Carlos Barrero Martínez wrote: > >> Thank you Turbo. >> >> I'm going to see this page to learn more about ldap. However... can >> you tell me how can I do it (attributes host and personal attributes)? >> > > I can, but I'm not going to... And the reason is that LDAP is _way_ to > complicated to teach in a mail or two... > > You really (really, really!!) need to get to the grips on the basics before > you continue. And the others on the list will basically tell you the same > thing. We've all been through this so many times before... > > My HOWTO, but mostly my book, is designed for this specific purpose - teach > beginners the basics and then some. > >

1 0

Re: Attributes host and personal (mail, telephone...)
by Carlos Barrero Martínez 30 May '12

30 May '12

Thank you Turbo. I'm going to see this page to learn more about ldap. However... can you tell me how can I do it (attributes host and personal attributes)? Thanks! 2012/5/30 Turbo Fredriksson <turbo(a)bayour.com> > On Wed, 30 May 2012 15:46:37 +0200, Carlos Barrero Martínez wrote: > >> I am a newbie and I'm installing and configuring my first ldap server >> for my company. >> > > Have a look at http://www.bayour.com/LDAPv3-**HOWTO.html<http://www.bayour.com/LDAPv3-HOWTO.html> > -- > ... but you know as soon as Oracle starts waving its wallet at a Company > it's time to run - fast. > /illumos mailing list >

1 0

acl filter using attribute memberof
by Dorit 30 May '12

30 May '12

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical May 2012