openldap-technical August 2012

openldap-technical@openldap.org

75 participants
91 discussions

new versions
by Friedrich Locke 06 Aug '12

06 Aug '12

Hi folks, i have noticed openldap keeps releasing new versions from time to time. I have not noticed changes in protocol specification. So why does openldap release new versions ? Isn't it mature enough yet ? I am asking cause i am used to djb tools like qmail and djbdns and they don't change since a long time ago. Please, don't get me wrong. I am no saying one approach is better than another, i am just curious about openldap. Thanks.

4 3

ACL processing: additive privs (using control continue)
by Dora Paula 06 Aug '12

06 Aug '12

Hi list, just a short question about "continue" and additive privileges, given the following acl statement: access to dn.subtree="o=test" attrs=sn by users =s continue by group/groupOfNames/member="cn=readers,ou=groups,o=test" +r If the current user's bindDn isn't a member of the group "cn=readers,..." or the group's entry does not exist, the previously set privilege "=s" will be reset to "none"? As the slapd.access man page just gives a "silly" and an "even more silly" example regarding "continue" I'm not sure this is the intended behavior. Attached you'll find my minimalistic testbed: slapd.conf sample ldif data two ldapsearch commands (including their slapd.log level 128) I'm using openldap MASTER. Thank you very much. Cheers Dora

4 9

slapcat not printing dn
by Frank Swasey 03 Aug '12

03 Aug '12

I'm using OpenLDAP 2.4.31 which I locally compiled on RHEL 6.3 64-bit. Last night as part of the nightly update process, a slapcat of the main suffix. There were 312,576 dn's in this database, and the last 4,794 entries printed were written out with in the form: dn: objectClass: groupOfNames cn: COURSE-201209-92184 member: uid=notreal,ou=people,dc=uvm,dc=edu structuralObjectClass: groupOfNames entryUUID: 1ee49f30-245e-4804-9be9-9faf0bb7f0c5 creatorsName: cn=theboss,dc=uvm,dc=edu createTimestamp: 20120803002051Z entryCSN: 20120803002051.460963Z#000000#000#000000 modifiersName: cn=theboss,dc=uvm,dc=edu modifyTimestamp: 20120803002051Z which is (as far as I know) not valid. I believe there has to be a dn value (and this morning, slapcat's performed are showing dn's in the output). I am using back-hdb to store this database. This is on the master server which has 10 replicas pulling changes off it using delta-syncrepl. A quick search of the ITS system shows ITS#6365 which hasn't been updated since February 2010 that seems to indicate the same (though in that one it was completely consistent) issue with an hdb database and slapcat. Any ideas? I have never seen this happen before, but I did just move to both OpenLDAP 2.4.31 and RHEL6 (was previously running OpenLDAP 2.4.28 plus fixes on RHEL5u8 64-bit). -- Frank Swasey | http://www.uvm.edu/~fcs Sr Systems Administrator | Always remember: You are UNIQUE, University of Vermont | just like everyone else. "I am not young enough to know everything." - Oscar Wilde (1854-1900)

2 1

Troubles with LDAP SYNC and doubt
by rodrigo tavares 03 Aug '12

03 Aug '12

Hello ! I sent a email to list saying about troubles in LDAP SYNC, this error was:ldap_sasl_bind_s failed (49) I found my error. I change for binddn="cn=admin,dc=defensoria,dc=mg,dc=gov,dc=br". So its is replicating. I have a doubt: the interval=01:00:00:00 This value is one hour ? Thanks ! Rodrigo Faria

3 2

What will happen if a user is a member of a group, but has another group as its primary group
by Qian Zhang 03 Aug '12

03 Aug '12

Hi, In my OpenLDAP server, it is possible to set a user as a member of a group, but it has another group as its primary group (I am using "LDAP Admin" as LDAP client tool). For example, in group1, I can see user1 as its "memberUid" attribute, but the "gidNumber" attribute of user1 is group2. I'd like to know if this is a reasonable configuration, and in this case, should I consider user1 as the member of group2 too? For example, if I configure a machine to only allow gruop2 to login, can user1 log into that machine? BTW, I do not know how to configure PAM to only allow a group or some groups to login the machine, if anyone can tell me the steps, it will be really appreciated! Thanks, Qian

4 7

Trying make a replication
by rodrigo tavares 03 Aug '12

03 Aug '12

Hello ! I have a troubles with replication slapd. Some logs #log of consumer Aug 2 16:21:37 serversamba slapd[1832]: slapd starting Aug 2 16:21:37 serversamba slapd[1832]: slap_client_connect: URI=ldap://10.26.7.46:389 DN="cn=syncrepl,dc=defensoria,dc=mg,dc=gov,dc=br" ldap_sasl_bind_s failed (49) Aug 2 16:21:37 serversamba slapd[1832]: do_syncrepl: rid=123 rc 49 retrying #logs of provider Aug 2 16:21:32 defensoria slapd[6345]: slapd starting Aug 2 16:21:38 defensoria slapd[6345]: conn=1000 fd=13 ACCEPT from IP=10.26.7.45:57491 (IP=0.0.0.0:389) Aug 2 16:21:38 defensoria slapd[6345]: conn=1000 op=0 BIND dn="cn=syncrepl,dc=defensoria,dc=mg,dc=gov,dc=br" method=128 Aug 2 16:21:38 defensoria slapd[6345]: conn=1000 op=0 RESULT tag=97 err=49 text= Aug 2 16:21:38 defensoria slapd[6345]: conn=1000 op=1 UNBIND Aug 2 16:21:38 defensoria slapd[6345]: conn=1000 fd=13 closed My provider: moduleload syncprov.la moduleload back_monitor.la moduleload back_bdb overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 My costumer: syncrepl rid=123 provider=ldap://10.26.7.46:389 type=refreshOnly interval=01:00:00:00 searchbase="dc=defensoria,dc=mg,dc=gov,dc=br" filter="(objectClass=organizationalPerson)" scope=sub attrs="cn,sn,ou,telephoneNumber,title,l" schemachecking=off bindmethod=simple binddn="cn=syncrepl,dc=defensoria,dc=mg,dc=gov,dc=br" credentials=galo When I make this under command, it´s run : ldapsearch -x -v -H 'ldap://10.26.7.46' -b 'dc=defensoria,dc=mg,dc=gov,dc=br' -D 'uid=syncrepl,ou=defensoria,dc=defensoria,dc=mg,dc=gov,dc=br' -W Any suggestion ? Thanks ! Rodrigo Faria Tavares

2 1

Re: What will happen if a user is a member of a group, but has another group as its primary group
by Dan White 02 Aug '12

02 Aug '12

(CCing the list) On 08/03/12 11:31 +0800, Qian Zhang wrote: >I am just wondering if there is a well-known rule for this use case, >I'd like to follow the general acceptable way. So most of people think >user1 should not log into the machine in this case, I will ingore >gidNumber and only care about memberUid attribute. Personally, I prefer to place authorization attributes within the user's dn, rather than to maintain groups for the same purpose, but I have done it both ways in the past. Using 'nssov-pam userhost [...]' would be a good way to do that. -- Dan White

1 0

import ldif does not work
by Karntol Dernsef 02 Aug '12

02 Aug '12

Hi list, I am fighting with openldap for some time now and I can't get it to work. I started clean. I've followed this tutorial, and everything works fine. I used followed the example and only changed dc=company,dc=com into dc=mycompany,dc=org. Then I want to import this file, because I am busy with a WebSphere book from Packtpub, and I need to follow along and setting up a LDAP server with these contents: -------------------------- dn: o=mycompany.org objectclass: top objectclass: organization o: mycompany.org dn: ou=users,o=mycompany.org objectclass:organizationalunit ou: users description: generic users branch dn: ou=groups,o=mycompany.org objectclass:organizationalunit ou: groups description: generic groups branch dn: ou=roles,o=mycompany.org objectclass:organizationalunit ou: roles description: generic roles branch dn: cn=wasadmin,ou=roles,o=mycompany.org cn: wasadmin uid: wasadmin objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson userpassword: wasadmin sn: wasadmin givenname: wasadmin title: wasadmin description: WAS Administrator dn: cn=ldapbind,ou=users,o=mycompany.org cn: ldapbind uid: ldapbind objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson userpassword: ldapbind sn: ldapbind givenname: ldapbind title: ldapbind description: ldapbind dn: cn=Bob Jackson,ou=users,o=mycompany.org cn: Bob Jackson uid: bjackson mail: bjackson(a)mycompany.org objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson userpassword: password sn: Jackson givenname: Bob telephonenumber: 123456789 title: WAS Administrator description: LDAP test user dn: cn=Mary Smith,ou=users,o=mycompany.org cn: Mary Smith uid: msmith mail: msmith(a)mycompany.org objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson userpassword: password sn: Smith givenname: Mary telephonenumber: 123456789 title: WAS Administrator description: LDAP test user dn: cn=wasadmins,ou=groups,o=mycompany.org objectclass: groupofnames cn: wasadmins description: WAS Admins # add the group members all of which are # assumed to exist under people member: cn=Bob Jackson,ou=users,o=mycompany.org member: cn=Mary Smith,ou=users,o=mycompany.org member: cn=wasadmin,ou=roles,o=mycompany.org But when I want to import, I get this: [root@CentOS-01 cn=config]# ldapadd -W -D cn=admin,dc=mycompany,dc=org -v -x -f /tmp/mycompanyorg.ldif ldap_initialize( <DEFAULT> ) Enter LDAP Password: add objectclass: top organization add o: mycompany.org adding new entry "o=mycompany.org" ldap_add: Server is unwilling to perform (53) additional info: no global superior knowledge When I do this: [root@CentOS-01 cn=config]# ldapsearch -xLLWD cn=admin,dc=mycompany,dc=org -b dc=mycompany,dc=org dn Enter LDAP Password: version: 1 No such object (32) Something tells me it's wrong. So, a friend who helped me said I had to create the company first, and that I should use dc=company,dc=org instead of o=company.org. I had to create the company first in the LDAP he said, so he passed me this file: # usergroups.ldif # # dn: dc=mycompany,dc=org dc: company objectClass: top objectClass: domain dn: ou=users,dc=mycompany,dc=org ou: Users objectClass: top objectClass: organizationalUnit description: Central location for UNIX users dn: ou=groups,dc=mycompany,dc=org ou: Groups objectClass: top objectClass: organizationalUnit description: Central location for UNIX groups # EOF But I can't add that: [root@CentOS-01 cn=config]# ldapadd -W -D cn=admin,dc=mycompany,dc=org -v -x -f /tmp/usergroup.ldif ldap_initialize( <DEFAULT> ) Enter LDAP Password: add dc: company add objectClass: top domain adding new entry "dc=mycompany,dc=org" ldap_add: Naming violation (64) additional info: value of single-valued naming attribute 'dc' conflicts with value present in entry I hope I will ever solve this, I can't complete my study now and have wasted hours and hours on this ldap problem. I hope you can help me out.. Karntol

2 2

AW: modify search base dn depending on search filter
by Robert Eikermann 01 Aug '12

01 Aug '12

Yes, I use rwm and the meta backend. But I'm not fixed to that ----- Ursprüngliche Nachricht ----- Von: Gavin Henry Gesendet: 01.08.2012 23:39 An: Robert Eikermann Cc: openldap-technical(a)openldap.org Betreff: Re: modify search base dn depending on search filter > Hi, > > can please someone give me a hint, how to change the search base dn > depending on the search filter. If someone searches “cn=a@b” at a fixed base > like dc=local I want to rewrite this search to cn=a with search base > “dc=b,dc=local” Hi Robert, Did you read man slapo-rwm ? Thanks. -- Kind Regards, Gavin Henry. Managing Director. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry(a)suretecsystems.com Open Source. Open Solutions(tm). http://www.suretecsystems.com/ Suretec Systems is a limited company registered in Scotland. Registered number: SC258005. Registered office: 24 Cormack Park, Rothienorman, Inverurie, Aberdeenshire, AB51 8GL. Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html Do you know we have our own VoIP provider called SureVoIP? See http://www.surevoip.co.uk Did you see our API news? http://www.surevoip.co.uk/news-events/surevoip-launches-innovative-api

1 0

modify search base dn depending on search filter
by Robert Eikermann 01 Aug '12

01 Aug '12

Hi, can please someone give me a hint, how to change the search base dn depending on the search filter. If someone searches "cn=a@b" at a fixed base like dc=local I want to rewrite this search to cn=a with search base "dc=b,dc=local" Thanks for help Robert

2 1

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical August 2012