July 2012 - openldap-technical

Special characters in distinguished name

by chris_news＠arcor.de

Hello, are special characters, especially German umlauts, acceptable in the distinguished name? I've accidentally discovered that CPAN's Net::LDAP::Entry module doesn't support them (in the distinguished name). Other attributes are escaped correctly. Thank you in advance. Chris

11 years, 1 month

5
5
0 / 0

Advice for distributing schemas for OpenLDAP

by ghudson＠mit.edu

MIT krb5 has an LDAP back end for its KDC, which uses its own schema. Currently, we distribute just a .schema file for OpenLDAP, which isn't very friendly to a DS using back-config and slapd.d. I have some questions about how we might do better. 1. For initial installs, I take it we should distribute a .ldif file which can be loaded with ldapadd. If we continue to use our .schema file as the master source file for the time being, then I assume we'll want to convert that to the .ldif file using slaptest. If we do that, should we remove the {n} prefix from the cn of the converted output, along with the metadata entries at the end, to match the style of the .ldif files in servers/slapd/schema? 2. If someone is upgrading to a version of krb5 which has new stuff added to the schema, how should we facilitate that upgrade? I don't think the .ldif file mentioned above would be of much use, since ldapadd will refuse to change an existing entry and ldapmodify wants to see change records. One option is to distribute an LDIF file with a bunch of idempotent modify operations to upgrade the schema. Looking at RFC 2849, I'm not sure you can idempotently create an LDAP entry with LDIF (so this input file couldn't be used for initial installs), but perhaps it's a viable option to bring the olc* attributes on an existing schema entry up to date. Has anyone done something like this before, and is there a good way to generate such an ldapmodify input file from either a .schema file or its attrval-record .ldif equivalent? Another option is to distribute delta LDIF files for each specific upgrade. That seems less friendly to OS packagers, who would then have to identify which upgrades to apply, but perhaps it's a better approach for reasons I don't know yet. If it is the best option, again, is there a good way to generate such delta LDIF files automatically? Thanks for any advice, and apologies if I missed anything in the documentation or mailing list archives.

11 years, 1 month

3
2
0 / 0

Translucent Proxy to filter users

by Joel Eidsath

Hello, I'm trying to use our corporate openldap server for authentication to an application server (Github Enterprise) that does not support any "memberof" filters for allowed users. As a workaround, I am looking into a translucent proxy server that would only return a subset of users. Github Enterprise would only "see" a few hundred users instead of thousands. Is this doable? Is there a better solution? Joel Eidsath

11 years, 1 month

4
4
0 / 0

What will happen if there are two user with same uid in OpenLDAP server

by Qian Zhang

Hi, I have an OpenLDAP server setup, I am just wondering what will happen when I do login if there are two user in different OU but with same uid. I guess PAM is in flat mode, so when I login with the uid, I can always login as one of the two users, and have no chance to login as the other, right? If that is true, should I add a restriction that the uid of each user must be unique in the whole OpenLDAP server? Thanks, Qian

11 years, 1 month

5
11
0 / 0

Re: slapo-chain on syncrepl slave. I simply can't get it working. Help??

by Gavin Henry

>> Remove your dn{} line. > > Sorry, which dn line do you mean? > > This? > > authzTo: {0}dn:* Yeah. -- Kind Regards, Gavin Henry. Managing Director. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry(a)suretecsystems.com Open Source. Open Solutions(tm). http://www.suretecsystems.com/ Suretec Systems is a limited company registered in Scotland. Registered number: SC258005. Registered office: 24 Cormack Park, Rothienorman, Inverurie, Aberdeenshire, AB51 8GL. Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html Do you know we have our own VoIP provider called SureVoIP? See http://www.surevoip.co.uk Did you see our API news? http://www.surevoip.co.uk/news-events/surevoip-launches-innovative-api

11 years, 1 month

3
6
0 / 0

slapo-chain on syncrepl slave. I simply can't get it working. Help??

by elekktretterr＠exemail.com.au

Hi, I've spent 2 days on this now and can't figure it out. Master directory (2.4.21 on FBSD 7, compiled with SASL) Slave (2.4.31 on Debian Squeeze) The goal is to eventually use TLS as both the servers are remote from one to another, but for the sake of simplicity during testing i'm not using TLS at this stage. RefreshAndPersist replication is setup and working Master config(not complete, but related parts): authz-policy to database bdb suffix cn=accesslog directory /db/accesslog rootdn cn=accesslog index default eq index entryCSN,objectClass,reqEnd,reqResult,reqStart overlay syncprov syncprov-nopresent TRUE syncprov-reloadhint TRUE # Let the replica DN have limitless searches limits dn.exact="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited database bdb suffix "dc=webgate,dc=net,dc=au" rootdn "cn=Manager,dc=webgate,dc=net,dc=au" rootpw deleted password-hash {SSHA} directory /var/db/openldap-data mode 0600 cachesize 2000 # syncrepl Provider for primary db overlay syncprov syncprov-checkpoint 1000 60 # accesslog overlay definitions for primary db overlay accesslog logdb cn=accesslog logops writes logsuccess TRUE # scan the accesslog DB every day, and purge entries older than 7 days logpurge 07+00:00 01+00:00 # Let the replica DN have limitless searches limits dn.exact="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited access to attrs=userPassword by self write by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read by * auth access to dn.base="ou=zones,dc=webgate,dc=net,dc=au" by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read by dn="cn=dns,ou=daemons,dc=webgate,dc=net,dc=au" read by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write access to dn.children="ou=zones,dc=webgate,dc=net,dc=au" by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read by dn="cn=dns,ou=daemons,dc=webgate,dc=net,dc=au" read by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write access to dn.base="ou=emails,dc=webgate,dc=net,dc=au" by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read by dn="cn=postfix,ou=daemons,dc=webgate,dc=net,dc=au" read by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write access to dn.children="ou=emails,dc=webgate,dc=net,dc=au" by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read by dn="cn=postfix,ou=daemons,dc=webgate,dc=net,dc=au" read by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write access to dn.children="ou=users,dc=webgate,dc=net,dc=au" by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write access to dn.base="ou=users,dc=webgate,dc=net,dc=au" by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write access to dn.base="ou=groups,dc=webgate,dc=net,dc=au" by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write access to dn.children="ou=groups,dc=webgate,dc=net,dc=au" by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write access to dn.base="ou=virtualhosts,dc=webgate,dc=net,dc=au" by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read by dn="cn=httpd,ou=daemons,dc=webgate,dc=net,dc=au" read by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write access to dn.children="ou=virtualhosts,dc=webgate,dc=net,dc=au" by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read by dn="cn=httpd,ou=daemons,dc=webgate,dc=net,dc=au" read by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write access to * by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read by users read by anonymous none by * none Slave config: overlay chain chain-uri ldap://xxx:389/ chain-rebind-as-user Yes chain-idassert-bind bindmethod="simple" binddn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" credentials="xxx" mode="self" chain-return-error Yes access to attrs=userPassword,shadowLastChange by anonymous auth by * none access to dn.base="" by * read access to * by * read # syncrepl directives syncrepl rid=0 provider=ldap://xxx:389 bindmethod=simple binddn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" credentials=deleted searchbase="dc=webgate,dc=net,dc=au" logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on type=refreshAndPersist retry="60 +" syncdata=accesslog # Refer updates to the master updateref ldap://xxx cn=replicator contains: dn: cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au objectClass: top objectClass: inetOrgPerson cn: replicator sn: replicator userPassword:: xxx authzTo: {0}dn:* No matter what I change, when I run ldapmodify on slave ldapmodify -x -D "cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" -W -f test_update.ldif modifying entry "uid=xxx,ou=emails,dc=webgate,dc=net,dc=au" ldap_modify: Strong(er) authentication required (8) I run the server with -d 1 to see what's going on and it seems even if i change chain-idassert-bind binddn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" to anything that doesn't even exist in the directory it never gets used... The only thing that makes a difference from the chain-* directives is the chain-return-error Yes, setting it to "no" makes it return just the referral address What am I doing wrong??? Thanks Petr

11 years, 1 month

2
3
0 / 0

RE24 testing call#3 (OpenLDAP 2.4.32)

by Quanah Gibson-Mount

If you know how to build OpenLDAP manually, and would like to participate in testing the next set of code for the 2.4.32 release, please do so. Generally, get the code for RE24: <http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=snapshot;h=refs/ heads/OPENLDAP_REL_ENG_2_4;sf=tgz> Configure & build. Execute the test suite (via make test) after it is built. Thanks! --Quanaho -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

11 years, 1 month

4
7
0 / 0

Re: RE24 testing call#3 (OpenLDAP 2.4.32)

by Neil Mcbennett

All good on Solaris 10 / SPARC On 27 July 2012 03:43, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > If you know how to build OpenLDAP manually, and would like to participate > in testing the next set of code for the 2.4.32 release, please do so. > > Generally, get the code for RE24: > > <http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=snapshot;h=refs/ > heads/OPENLDAP_REL_ENG_2_4;sf=tgz> > > Configure & build. > > Execute the test suite (via make test) after it is built. > > Thanks! > > --Quanaho > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

11 years, 1 month

1
0
0 / 0

Re: RE24 testing call#3 (OpenLDAP 2.4.32)

by devzero2000

On Fri, Jul 27, 2012 at 4:43 AM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > If you know how to build OpenLDAP manually, and would like to participate > in testing the next set of code for the 2.4.32 release, please do so. > > Generally, get the code for RE24: > > <http://www.openldap.org/**devel/gitweb.cgi?p=openldap.** > git;a=snapshot;h=refs/<http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=snapshot;h=refs/> > heads/OPENLDAP_REL_ENG_2_4;sf=**tgz> > > Configure & build. > > Execute the test suite (via make test) after it is built. > > All good on RHEL 6.2/6.3 e serentos 6.2. > Thanks! > > --Quanaho > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration > >

11 years, 1 month

1
0
0 / 0

Openldap Problem

by Chris

Hi. I am using rhel 6.3, with sssd-1.8.0 and openldap-servers-2.4.23-26, the kernel is 2.6.32-279.2.1.el6.x86_64. The problem I'm having is I get this error message in messages file. "sssd[be[default]]: Could not start TLS encryption. TLS error -5938:Encountered end of file" I started sssd with debugging set to 9. Errors I saw in sssd_default.log is: [dp_get_options] (0x0400): Option ldap_sasl_minssf has value -1 [get_port_status] (0x1000): Port status of port 389 for server 'ibm-01.flamengro.co.za' is 'not working' When I add new users I cannot log in with the new names, a ldapseach shows them but getent passwd nothing. Not all the users show up on my other machines either. Any help will be appreciated. My slapd.conf file looks like this. /include /etc/openldap/schema/corba.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/collective.schema allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args database bdb suffix "dc=flamengro,dc=com" checkpoint 1024 15 rootdn "cn=Manager,dc=flamengro,dc=com" rootpw secret directory /var/lib/ldap/flamengro index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub database monitoraccess to * by dn.exact="cn=Manager,dc=flamengro,dc=com" read by * none access to attrs=userPassword,shadowLastChange by anonymous auth by self write by * none/ My sssd.conf file looks like this / [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = default [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 [domain/default] auth_provider = ldap cache_credentials = True ldap_id_use_start_tls = True debug_level = 9 ldap_search_base = dc=flamengro,dc=com # krb5_realm = EXAMPLE.COM chpass_provider = ldap id_provider = ldap ldap_uri = ldap://ibm-01.flamengro.co.za # krb5_kdcip = kerberos.example.com ldap_tls_cacertdir = /etc/openldap/cacerts enumerate = True ldap_sasl_canonicalize = true # krb5_server = kerberos.example.com /

11 years, 2 months

4
3
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical July 2012