new versions
by Friedrich Locke
Hi folks,
i have noticed openldap keeps releasing new versions from time to
time. I have not noticed changes in protocol specification. So why
does openldap release new versions ? Isn't it mature enough yet ? I am
asking cause i am used to djb tools like qmail and djbdns and they
don't change since a long time ago.
Please, don't get me wrong. I am no saying one approach is better than
another, i am just curious about openldap.
Thanks.
11 years, 1 month
ACL processing: additive privs (using control continue)
by Dora Paula
Hi list,
just a short question about "continue" and additive privileges, given
the following acl statement:
access to dn.subtree="o=test" attrs=sn
by users =s continue
by group/groupOfNames/member="cn=readers,ou=groups,o=test" +r
If the current user's bindDn isn't a member of the group
"cn=readers,..." or the group's entry does not exist, the previously set
privilege "=s" will be reset to "none"?
As the slapd.access man page just gives a "silly" and an "even more
silly" example regarding "continue" I'm not sure this is the intended
behavior.
Attached you'll find my minimalistic testbed:
slapd.conf
sample ldif data
two ldapsearch commands (including their slapd.log level 128)
I'm using openldap MASTER.
Thank you very much.
Cheers
Dora
11 years, 1 month
slapcat not printing dn
by Frank Swasey
I'm using OpenLDAP 2.4.31 which I locally compiled on RHEL 6.3 64-bit.
Last night as part of the nightly update process, a slapcat of the main suffix. There were
312,576 dn's in this database, and the last 4,794 entries printed were written out with in the
form:
dn:
objectClass: groupOfNames
cn: COURSE-201209-92184
member: uid=notreal,ou=people,dc=uvm,dc=edu
structuralObjectClass: groupOfNames
entryUUID: 1ee49f30-245e-4804-9be9-9faf0bb7f0c5
creatorsName: cn=theboss,dc=uvm,dc=edu
createTimestamp: 20120803002051Z
entryCSN: 20120803002051.460963Z#000000#000#000000
modifiersName: cn=theboss,dc=uvm,dc=edu
modifyTimestamp: 20120803002051Z
which is (as far as I know) not valid. I believe there has to be a dn value (and this morning,
slapcat's performed are showing dn's in the output).
I am using back-hdb to store this database. This is on the master server which has 10 replicas
pulling changes off it using delta-syncrepl.
A quick search of the ITS system shows ITS#6365 which hasn't been updated since February 2010
that seems to indicate the same (though in that one it was completely consistent) issue with an
hdb database and slapcat.
Any ideas? I have never seen this happen before, but I did just move to both OpenLDAP 2.4.31
and RHEL6 (was previously running OpenLDAP 2.4.28 plus fixes on RHEL5u8 64-bit).
--
Frank Swasey | http://www.uvm.edu/~fcs
Sr Systems Administrator | Always remember: You are UNIQUE,
University of Vermont | just like everyone else.
"I am not young enough to know everything." - Oscar Wilde (1854-1900)
11 years, 1 month
Troubles with LDAP SYNC and doubt
by rodrigo tavares
Hello !
I sent a email to list saying about troubles in LDAP SYNC, this error was:ldap_sasl_bind_s failed (49)
I found my error. I change for binddn="cn=admin,dc=defensoria,dc=mg,dc=gov,dc=br".
So its is replicating.
I have a doubt: the interval=01:00:00:00
This value is one hour ?
Thanks !
Rodrigo Faria
11 years, 1 month
What will happen if a user is a member of a group, but has another group as its primary group
by Qian Zhang
Hi,
In my OpenLDAP server, it is possible to set a user as a member of a
group, but it has another group as its primary group (I am using "LDAP
Admin" as LDAP client tool). For example, in group1, I can see user1
as its "memberUid" attribute, but the "gidNumber" attribute of user1
is group2.
I'd like to know if this is a reasonable configuration, and in this
case, should I consider user1 as the member of group2 too? For
example, if I configure a machine to only allow gruop2 to login, can
user1 log into that machine?
BTW, I do not know how to configure PAM to only allow a group or some
groups to login the machine, if anyone can tell me the steps, it will
be really appreciated!
Thanks,
Qian
11 years, 1 month
Trying make a replication
by rodrigo tavares
Hello !
I have a troubles with replication slapd.
Some logs
#log of consumer
Aug 2 16:21:37 serversamba slapd[1832]: slapd starting
Aug 2 16:21:37 serversamba slapd[1832]: slap_client_connect:
URI=ldap://10.26.7.46:389
DN="cn=syncrepl,dc=defensoria,dc=mg,dc=gov,dc=br" ldap_sasl_bind_s
failed (49)
Aug 2 16:21:37 serversamba slapd[1832]: do_syncrepl: rid=123 rc 49 retrying
#logs of provider
Aug 2 16:21:32 defensoria slapd[6345]: slapd starting
Aug 2 16:21:38 defensoria slapd[6345]: conn=1000 fd=13 ACCEPT from IP=10.26.7.45:57491 (IP=0.0.0.0:389)
Aug 2 16:21:38 defensoria slapd[6345]: conn=1000 op=0 BIND dn="cn=syncrepl,dc=defensoria,dc=mg,dc=gov,dc=br" method=128
Aug 2 16:21:38 defensoria slapd[6345]: conn=1000 op=0 RESULT tag=97 err=49 text=
Aug 2 16:21:38 defensoria slapd[6345]: conn=1000 op=1 UNBIND
Aug 2 16:21:38 defensoria slapd[6345]: conn=1000 fd=13 closed
My provider:
moduleload syncprov.la
moduleload back_monitor.la
moduleload back_bdb
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
My costumer:
syncrepl rid=123
provider=ldap://10.26.7.46:389
type=refreshOnly
interval=01:00:00:00
searchbase="dc=defensoria,dc=mg,dc=gov,dc=br"
filter="(objectClass=organizationalPerson)"
scope=sub
attrs="cn,sn,ou,telephoneNumber,title,l"
schemachecking=off
bindmethod=simple
binddn="cn=syncrepl,dc=defensoria,dc=mg,dc=gov,dc=br"
credentials=galo
When I make this under command, it´s run :
ldapsearch -x -v -H 'ldap://10.26.7.46' -b
'dc=defensoria,dc=mg,dc=gov,dc=br' -D
'uid=syncrepl,ou=defensoria,dc=defensoria,dc=mg,dc=gov,dc=br' -W
Any suggestion ?
Thanks !
Rodrigo Faria Tavares
11 years, 1 month
Re: What will happen if a user is a member of a group, but has another group as its primary group
by Dan White
(CCing the list)
On 08/03/12 11:31 +0800, Qian Zhang wrote:
>I am just wondering if there is a well-known rule for this use case,
>I'd like to follow the general acceptable way. So most of people think
>user1 should not log into the machine in this case, I will ingore
>gidNumber and only care about memberUid attribute.
Personally, I prefer to place authorization attributes within the user's dn,
rather than to maintain groups for the same purpose, but I have done it
both ways in the past.
Using 'nssov-pam userhost [...]' would be a good way to do that.
--
Dan White
11 years, 1 month
import ldif does not work
by Karntol Dernsef
Hi list,
I am fighting with openldap for some time now and I can't get it to work.
I started clean.
I've followed this tutorial, and everything works fine.
I used followed the example and only changed dc=company,dc=com into
dc=mycompany,dc=org.
Then I want to import this file, because I am busy with a WebSphere book
from Packtpub, and I need to follow along and setting up a LDAP server with
these contents:
--------------------------
dn: o=mycompany.org
objectclass: top
objectclass: organization
o: mycompany.org
dn: ou=users,o=mycompany.org
objectclass:organizationalunit
ou: users
description: generic users branch
dn: ou=groups,o=mycompany.org
objectclass:organizationalunit
ou: groups
description: generic groups branch
dn: ou=roles,o=mycompany.org
objectclass:organizationalunit
ou: roles
description: generic roles branch
dn: cn=wasadmin,ou=roles,o=mycompany.org
cn: wasadmin
uid: wasadmin
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
userpassword: wasadmin
sn: wasadmin
givenname: wasadmin
title: wasadmin
description: WAS Administrator
dn: cn=ldapbind,ou=users,o=mycompany.org
cn: ldapbind
uid: ldapbind
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
userpassword: ldapbind
sn: ldapbind
givenname: ldapbind
title: ldapbind
description: ldapbind
dn: cn=Bob Jackson,ou=users,o=mycompany.org
cn: Bob Jackson
uid: bjackson
mail: bjackson(a)mycompany.org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
userpassword: password
sn: Jackson
givenname: Bob
telephonenumber: 123456789
title: WAS Administrator
description: LDAP test user
dn: cn=Mary Smith,ou=users,o=mycompany.org
cn: Mary Smith
uid: msmith
mail: msmith(a)mycompany.org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
userpassword: password
sn: Smith
givenname: Mary
telephonenumber: 123456789
title: WAS Administrator
description: LDAP test user
dn: cn=wasadmins,ou=groups,o=mycompany.org
objectclass: groupofnames
cn: wasadmins
description: WAS Admins
# add the group members all of which are
# assumed to exist under people
member: cn=Bob Jackson,ou=users,o=mycompany.org
member: cn=Mary Smith,ou=users,o=mycompany.org
member: cn=wasadmin,ou=roles,o=mycompany.org
But when I want to import, I get this:
[root@CentOS-01 cn=config]# ldapadd -W -D cn=admin,dc=mycompany,dc=org -v
-x -f /tmp/mycompanyorg.ldif
ldap_initialize( <DEFAULT> )
Enter LDAP Password:
add objectclass:
top
organization
add o:
mycompany.org
adding new entry "o=mycompany.org"
ldap_add: Server is unwilling to perform (53)
additional info: no global superior knowledge
When I do this:
[root@CentOS-01 cn=config]# ldapsearch -xLLWD cn=admin,dc=mycompany,dc=org
-b dc=mycompany,dc=org dn
Enter LDAP Password:
version: 1
No such object (32)
Something tells me it's wrong.
So, a friend who helped me said I had to create the company first, and that
I should use dc=company,dc=org instead of o=company.org.
I had to create the company first in the LDAP he said, so he passed me this
file:
# usergroups.ldif
#
#
dn: dc=mycompany,dc=org
dc: company
objectClass: top
objectClass: domain
dn: ou=users,dc=mycompany,dc=org
ou: Users
objectClass: top
objectClass: organizationalUnit
description: Central location for UNIX users
dn: ou=groups,dc=mycompany,dc=org
ou: Groups
objectClass: top
objectClass: organizationalUnit
description: Central location for UNIX groups
# EOF
But I can't add that:
[root@CentOS-01 cn=config]# ldapadd -W -D cn=admin,dc=mycompany,dc=org -v
-x -f /tmp/usergroup.ldif
ldap_initialize( <DEFAULT> )
Enter LDAP Password:
add dc:
company
add objectClass:
top
domain
adding new entry "dc=mycompany,dc=org"
ldap_add: Naming violation (64)
additional info: value of single-valued naming attribute 'dc' conflicts
with value present in entry
I hope I will ever solve this, I can't complete my study now and have
wasted hours and hours on this ldap problem.
I hope you can help me out..
Karntol
11 years, 1 month
AW: modify search base dn depending on search filter
by Robert Eikermann
Yes, I use rwm and the meta backend. But I'm not fixed to that
----- Ursprüngliche Nachricht -----
Von: Gavin Henry
Gesendet: 01.08.2012 23:39
An: Robert Eikermann
Cc: openldap-technical(a)openldap.org
Betreff: Re: modify search base dn depending on search filter
> Hi,
>
> can please someone give me a hint, how to change the search base dn
> depending on the search filter. If someone searches “cn=a@b” at a fixed base
> like dc=local I want to rewrite this search to cn=a with search base
> “dc=b,dc=local”
Hi Robert,
Did you read man slapo-rwm ?
Thanks.
--
Kind Regards,
Gavin Henry.
Managing Director.
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry(a)suretecsystems.com
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
Suretec Systems is a limited company registered in Scotland. Registered
number: SC258005. Registered office: 24 Cormack Park, Rothienorman, Inverurie,
Aberdeenshire, AB51 8GL.
Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html
Do you know we have our own VoIP provider called SureVoIP? See
http://www.surevoip.co.uk
Did you see our API news?
http://www.surevoip.co.uk/news-events/surevoip-launches-innovative-api
11 years, 2 months
modify search base dn depending on search filter
by Robert Eikermann
Hi,
can please someone give me a hint, how to change the search base dn
depending on the search filter. If someone searches "cn=a@b" at a fixed base
like dc=local I want to rewrite this search to cn=a with search base
"dc=b,dc=local"
Thanks for help
Robert
11 years, 2 months
