I had thought I tested this beforehand but I seem to be able to reliably
reproduce the following situation:
We have an installation where the provider server has information that is
replicated to downstream replicas using the syncrepl protocol. The account
used to replicate is allowed to see records where certain attributes meet
specific values, a silly example is an attribute is set
When an account has that attribute set it then replicates to the downstream
replica, however if later we set replicateMe to FALSE so that the account
used for replication can no longer see the entry, it seems to be orphaned
and is not removed in the replica.
We are using OpenLDAP 2.4.26 and I have the syncprov sessionlog set to 500
and the replica is set to refreshAndPersist.
Is this something that is simply not supported? or would a case like this
be expected to work and I've either got a configuration issue or a bug?
an attribute declared 'dsaOperation' in the schema is not replicated
with Syncrepl, this behavior was coded some years ago and it seems
Today, I updated such attribute (pwdFailureTime) with the relax
control and noticed the modification has been replicated. I just
wanted to know if this behavior was expected with the relax control,
or if this is an issue (the test was done with OpenLDAP 2.4.31).
good morning, I've a question about password managing in ldap with
samba. I've seen that samba schema's attributes don't have effect on
password managing. Only shadowAccount's attribute do it. So i changed
shadowMax to "0" for a user and at the next login it tells me
"You are required to change your password immediately (password aged)
LDAP administrator password: "
After entering ldap admin's password it tells me
"Authentication token manipulation error".
Why? the admin'password is correct, am sure
--On Wednesday, May 30, 2012 7:35 PM +0300 Ioan Indreias
>> One other thing I would note is that you have failed to provide your
>> OpenLDAP configuration (either slapd.conf for a slapcat -n 0 of your
>> cn=config DB).
> Actually I have provided the slapd.conf file in my first mail - please
> find attached what I have sent at that time.
Please keep replies on the list. I looked back at the start of the thread
and didn't see any attachments. In any case, I have the following comments
a) Why are you setting serverID? You aren't doing MMR, or if you are, you
have not configured it correctly (There is no mirrormode line set).
b) Get rid of the filters=... line in syncrepl config. Just use the
c) Your attrs=... line in the syncrepl config is invalid. Remove it and
just use the default.
a) What kind of filesystem is /storage, where you are storing the databases?
b) if you remove the "logold" line from your accesslog configuration, do
the deadlocks still occur?
Sr. Member of Technical Staff
A Division of VMware, Inc.
Zimbra :: the leader in open source messaging and collaboration
Good afternoon to all!
I am a newbie and I'm installing and configuring my first ldap server for
my company. I want to use LDAP as an authentication method on my intranet (
Drupal) and as authentication for ssh. I have read that's what I need to
have the attribute 'host' but this attribute is incompatible with 'person',
so I can not have fields (name, surname, phone, email) and host.
Can you help solve it?
Thank you very much!
My LDAP skillz are (very) slowly coming along - thanks to good folk
here, I think I have figured out ACLs and I have managed to get
rwm/relay to emulate an old tree structure (well enough) whilst being
able to design a better structure for our department.
My next question is just a request for a pointer.
My understanding of LDAP authentication is very limited. What I would
like to do is a 2 phase transition to kerberos (which I do understand):
1) Rig OpenLDAP so all password changes get sent to the kerberos server
but do not use it for authentication. In the meantime we will continue
authenticate with the SSHA1 hashes in the user's LDAP entry.
2) After some time (months) when everyone has eventually done a password
change, the Kerberos server will be well enough in sync. Now I would
like to switch OpenLDAP to using kerberos on the backend (ie for binds
etc) and I will purge the SSHA1 hashes.
I most interested in some pointers for stage 1) is someone could be kind
enough to help me out - is there a particular name for this mechanism,
or a module that handles this kind of stuff?
2) I think I can probably google for myslef (keywords SASL and/or GSSAPI
and/or LDAP+Kerberos. I've had a skim but did not notice an obvious way
to handle 1) without 2)
I apologise if it's a dumb question :-o
Many thanks in advance :)
Personal Blog: http://www.dionic.net/tim/
Thank you for your answer.
I'm reading the book published by O'Reilly, LDAP System Administration.
However, the world of LDAP is very large and used for many tasks.
I am creating my content tree and I can define it in many ways. And I know how
to do it or not.
Only that. I'm not that person who prefers to ask to learn.
2012/5/30 Turbo Fredriksson <turbo(a)bayour.com>
> On Wed, 30 May 2012 16:58:54 +0200, Carlos Barrero Martínez wrote:
>> Thank you Turbo.
>> I'm going to see this page to learn more about ldap. However... can
>> you tell me how can I do it (attributes host and personal attributes)?
> I can, but I'm not going to... And the reason is that LDAP is _way_ to
> complicated to teach in a mail or two...
> You really (really, really!!) need to get to the grips on the basics before
> you continue. And the others on the list will basically tell you the same
> thing. We've all been through this so many times before...
> My HOWTO, but mostly my book, is designed for this specific purpose - teach
> beginners the basics and then some.
Thank you Turbo.
I'm going to see this page to learn more about ldap. However... can you
tell me how can I do it (attributes host and personal attributes)?
2012/5/30 Turbo Fredriksson <turbo(a)bayour.com>
> On Wed, 30 May 2012 15:46:37 +0200, Carlos Barrero Martínez wrote:
>> I am a newbie and I'm installing and configuring my first ldap server
>> for my company.
> Have a look at http://www.bayour.com/LDAPv3-**HOWTO.html<http://www.bayour.com/LDAPv3-HOWTO.html>
> ... but you know as soon as Oracle starts waving its wallet at a Company
> it's time to run - fast.
> /illumos mailing list