Editing the olcAccess
by S, Mohan (GE Energy)
Hi,
I've configured olcAccess for my bdb database and I can't able to modify
that using ldapmodify.
I tried deleting that :
ldapmodify -x -h xxx.example.org -D
"cn=replicator,ou=admins,dc=example,dc=org" -w secret -f delete.ldif
No error
cat delete.ldif
changetype: modify
delete: olcAccess
olcAccess: {0}
olcAccess: {1}
ldapmodify -x -h xxx.example.org -D
"cn=replicator,ou=admins,dc=example,dc=org" -w secret -f add.ldif
No error
cat add.ldif
changetype: modify
add: olcAccess
olcAccess: to attrs=userPassword by self write by anonymous auth by
dn.children="ou=admins,dc=example,dc=org" write by * none
olcAccess: to * by self write by
dn.children="ou=admins,dc=example,dc=org" write by * read
olcAccess: to * by self write by
dn.children="ou=melbourne,dc=example,dc=org" write by * read
my ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W
olcDatabase={1}bdb returns old olcaccess. New access are not getting
reflected. Can anyone guide my how to add/edit olcaccess?
Can anyone please help me ...
Thanks,
Mohan
11 years
RE: Editing the olcAccess
by S, Mohan (GE Energy)
I could able to do this.. I missed the line in my ldif file dn:
olcDatabase={2}bdb,cn=config. Apologize
Regards,
Mohan
From: S, Mohan (GE Energy)
Sent: Thursday, September 06, 2012 8:26 PM
To: openldap-technical(a)openldap.org
Subject: Editing the olcAccess
Hi,
I've configured olcAccess for my bdb database and I can't able to modify
that using ldapmodify.
I tried deleting that :
ldapmodify -x -h xxx.example.org -D
"cn=replicator,ou=admins,dc=example,dc=org" -w secret -f delete.ldif
No error
cat delete.ldif
changetype: modify
delete: olcAccess
olcAccess: {0}
olcAccess: {1}
ldapmodify -x -h xxx.example.org -D
"cn=replicator,ou=admins,dc=example,dc=org" -w secret -f add.ldif
No error
cat add.ldif
changetype: modify
add: olcAccess
olcAccess: to attrs=userPassword by self write by anonymous auth by
dn.children="ou=admins,dc=example,dc=org" write by * none
olcAccess: to * by self write by
dn.children="ou=admins,dc=example,dc=org" write by * read
olcAccess: to * by self write by
dn.children="ou=melbourne,dc=example,dc=org" write by * read
my ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W
olcDatabase={1}bdb returns old olcaccess. New access are not getting
reflected. Can anyone guide my how to add/edit olcaccess?
Can anyone please help me ...
Thanks,
Mohan
11 years
ACL (Regex) help needed
by Denny Schierz
hi,
I have the following structure:
cn=foobar,ou=aliases,dc=domain1,ou=mail,ou=services,ou=department,dc=domain,dc=foo
cn=foobar1,ou=aliases,dc=domain2,ou=mail,ou=services,ou=department,dc=domain,dc=foo
cn=foobar2,ou=aliases,dc=domain2,ou=mail,ou=services,ou=department,dc=domain,dc=foo
cn=foobar likes like:
dn: foobar,ou=aliases,dc=domain1,ou=mail,ou=services,ou=department,dc=domain,dc=foo
objectClass: inetLocalMailRecipient
objectClass: person
objectClass: top
cn: admin
sn: admin
description: added_by_dekanat
mailLocalAddress: sysop(a)department.domain.foo
mailRoutingAddress: foobar(a)department.domain.foo
At the moment I have one role "mail" that has access to:
dn.sub="ou=mail,ou=services,ou=department,dc=domain,dc=foo" read
it works as expected, the mailserver can read all entries.
Now I want to create a role, who has permissions to delete/add/modify all entries below ou=aliases, from all domains (dc=domain,ou=mail...), but only, if "description: <string>" is found (for delete/modify only, but not for add).
Is that possible?
Otherwise, how does it look, if I throw the idea with "only if" ?
cu denny
11 years
LDAP Administration
by Brian Green
Hello,
I have recently taken over a bunch of systems controlled by an LDAP
database - however, the previous admin. didn't add me to the needed group
so that I can fully administer the LDAP directory.
Is there a way I can force LDAP to add me to this group? I have root
access to the Linux server where the OpenLDAP system is hosted, if that
helps. I've tried changing the .acl documents - that didn't seem to work
to allow me to add myself to that group. This is a production system, so
taking it down for a long period of time, or messing it up, would be bad.
Thanks for any help,
Brian
11 years
Slaving from Mirror Mode
by Nick Urbanik
Dear Folks,
I am having trouble understanding
http://www.openldap.org/doc/admin24/dual_dc.png. In particular, I do
not understand the exact meaning of the bidirectional arrows, and the
purpose of the upper pair of load balancers.
1, Are the upper load balancers there to chain writes to both mirror
mode masters?
2. Are the "replica pool" configured to replicate from both masters or
only from one?
I am setting up mirror mode masters both in the same data centre, with
one slave offsite. Should all the slaves slave from both masters, or
should they slave from a load balancer which decides which master is
getting the writes at present?
Although our slaves are busy, surviving network issues with data
consistent and correct is very important. Network outages and strange
disconnects are the rule without automated configuration management
for network devices.
--
Nick Urbanik http://nicku.org 808-71011 nick.urbanik(a)optusnet.com.au
GPG: 7FFA CDC7 5A77 0558 DC7A 790A 16DF EC5B BB9D 2C24 ID: BB9D2C24
I disclaim, therefore I am.
11 years
Re: Execute a Filter and get the boolean status true/false
by Puneet Khunteta
Hello Quanah,
then, what should i do to attach the no-op control for the ldap_search_s()
operation ?
Regards,
PKHUN
On Thu, Sep 6, 2012 at 12:48 AM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote:
> --On Wednesday, September 05, 2012 9:03 PM +0200 Michael Ströder <
> michael(a)stroeder.com> wrote:
>
> Puneet Khunteta wrote:
>>
>>> Basically i need the count how many SearchResultEntry responses you get
>>> from ldap_search_s().
>>>
>>
>> You won't get the count without retrieving the results.
>>
>
> Incorrect. You can use the noop control to do this. We actually do this
> now in Zimbra to get the total number of accounts in LDAP without having to
> get the full result set back.
>
> --Quanah
>
>
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
11 years
ldap_count_messages() Vs. ldap_count_entries() Vs. ldap_count_references()
by Puneet Khunteta
Hello,
Please let me know the difference between the following three with their
corresponding usage :
ldap_count_message()
ldap_count_entries()
ldap_count_references()
If possible narrate with some examples and a test application source code
will be much much appreciated.
Regards,
PKHUN
11 years
ldapsearch SASL/GSSAPI bind really slow
by Matthew B. Brookover
I am upgrading the openldap servers and ran into a bit of a problem.
SASL/GSSAPI binds to the new server are too slow. An ldapsearch to the
old server using GSSAPI to bind is much faster on the old server then
the same search on the new server.
I am not even sure where to start to debug this and am hoping that some
one will have some ideas.
First off, here are a few details:
The old LDAP server is running Openldap 2.3.43 on CentOS 5.2 with the
CentOS built MIT Kerberos(1.6.1) and saslauthd (2.1.22). This server is
configured with the slapd.conf file. The host name is
infinite.mines.edu in the example runs below.
The new LDAP server is running Openldap 2.4.31 on CentOS 6.3 with the
CentOS built MIT Kerberos (1.9) and saslauthd (2.1.23). This server is
configured with slapd-config (new dynamic configuration is very cool!)
The host name is infinte-temp.mines.edu in the example runs below.
Both the old and new servers are configured to use SASL for GSSAPI and
for simple binds.
First test, simple bind to new server and then the old server:
[testua@merlin ~]$ time ldapsearch -LLL -ZZ -Duid=testua,ou=People,dc=mines,dc=edu -y passwd -x -Hldap://infinite-temp.mines.edu/ -bou=People,dc=mines,dc=edu uid=testua
dn: uid=testua,ou=People,dc=mines,dc=edu
uid: testua
cn: estua, t
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 12780
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
gidNumber: 11192
host: imagine.mines.edu
gecos: estua, t
homeDirectory: /u/ca/fl/testua
userPassword:: e1NBU0x9dGVzdHVhQE1JTkVTLkVEVQ==
uidNumber: 11192
real 0m0.324s
user 0m0.017s
sys 0m0.004s
[testua@merlin ~]$ time ldapsearch -LLL -ZZ -Duid=testua,ou=People,dc=mines,dc=edu -y passwd -x -Hldap://infinite.mines.edu/ -bou=People,dc=mines,dc=edu uid=testua
dn: uid=testua,ou=People,dc=mines,dc=edu
uid: testua
cn: estua, t
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 12780
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
gidNumber: 11192
host: imagine.mines.edu
gecos: estua, t
homeDirectory: /u/ca/fl/testua
userPassword:: e1NBU0x9dGVzdHVhQE1JTkVTLkVEVQ==
uidNumber: 11192
real 0m0.163s
user 0m0.016s
sys 0m0.004s
[testua@merlin ~]$
As you can see, the new server takes nearly twice as long to perform the
search as the old server. Both servers are using saslauthd to send the
password to Kerberos for authentication.
Next test, GSSAPI bind to the new server and then the old server:
[testua@merlin ~]$ kinit
Password for testua(a)MINES.EDU:
[testua@merlin ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_11192_d1yOuC
Default principal: testua(a)MINES.EDU
Valid starting Expires Service principal
07/25/12 13:32:11 07/26/12 04:32:11 krbtgt/MINES.EDU(a)MINES.EDU
renew until 07/26/12 13:32:07
Kerberos 4 ticket cache: /tmp/tkt11192
klist: You have no tickets cached
[testua@merlin ~]$ time ldapsearch -LLL -ZZ -Hldap://infinite-temp.mines.edu/ -bou=People,dc=mines,dc=edu uid=testua
SASL/GSSAPI authentication started
SASL username: testua(a)MINES.EDU
SASL SSF: 56
SASL data security layer installed.
dn: uid=testua,ou=People,dc=mines,dc=edu
uid: testua
cn: estua, t
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 12780
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
gidNumber: 11192
host: imagine.mines.edu
gecos: estua, t
homeDirectory: /u/ca/fl/testua
userPassword:: e1NBU0x9dGVzdHVhQE1JTkVTLkVEVQ==
uidNumber: 11192
real 0m1.145s
user 0m0.021s
sys 0m0.004s
[testua@merlin ~]$ time ldapsearch -LLL -ZZ -Hldap://infinite.mines.edu/ -bou=People,dc=mines,dc=edu uid=testua
SASL/GSSAPI authentication started
SASL username: testua(a)MINES.EDU
SASL SSF: 56
SASL data security layer installed.
dn: uid=testua,ou=People,dc=mines,dc=edu
uid: testua
cn: estua, t
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 12780
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
gidNumber: 11192
host: imagine.mines.edu
gecos: estua, t
homeDirectory: /u/ca/fl/testua
userPassword:: e1NBU0x9dGVzdHVhQE1JTkVTLkVEVQ==
uidNumber: 11192
real 0m0.123s
user 0m0.021s
sys 0m0.003s
[testua@merlin ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_11192_d1yOuC
Default principal: testua(a)MINES.EDU
Valid starting Expires Service principal
07/25/12 13:32:11 07/26/12 04:32:11 krbtgt/MINES.EDU(a)MINES.EDU
renew until 07/26/12 13:32:07
07/25/12 13:32:33 07/26/12 04:32:11 ldap/infinite-temp.mines.edu(a)MINES.EDU
renew until 07/26/12 13:32:07
07/25/12 13:32:41 07/26/12 04:32:11 ldap/infinite.mines.edu(a)MINES.EDU
renew until 07/26/12 13:32:07
Kerberos 4 ticket cache: /tmp/tkt11192
klist: You have no tickets cached
[testua@merlin ~]$
The old server is 9 times faster then the new server.
This last test is to show that an anonymous bind is very fast and
indicates to me that the network, BDB, caching, etc are not the issue.
This test is to both servers, using a simple bind, first the old server
and then the new server:
[testua@merlin ~]$ time ldapsearch -LLL -ZZ -x -Hldap://infinite.mines.edu/ -bou=People,dc=mines,dc=edu uid=testua
dn: uid=testua,ou=People,dc=mines,dc=edu
uid: testua
cn: estua, t
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 12780
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
gidNumber: 11192
host: imagine.mines.edu
gecos: estua, t
homeDirectory: /u/ca/fl/testua
userPassword:: e1NBU0x9dGVzdHVhQE1JTkVTLkVEVQ==
uidNumber: 11192
real 0m0.049s
user 0m0.017s
sys 0m0.005s
[testua@merlin ~]$ time ldapsearch -LLL -ZZ -x -Hldap://infinite-temp.mines.edu/ -bou=People,dc=mines,dc=edu uid=testua
dn: uid=testua,ou=People,dc=mines,dc=edu
uid: testua
cn: estua, t
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 12780
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
gidNumber: 11192
host: imagine.mines.edu
gecos: estua, t
homeDirectory: /u/ca/fl/testua
userPassword:: e1NBU0x9dGVzdHVhQE1JTkVTLkVEVQ==
uidNumber: 11192
real 0m0.029s
user 0m0.014s
sys 0m0.006s
[testua@merlin ~]$
When using an anonymous bind, the old server takes longer then the new
server -- which is what I would expect given that the new server has
twice the number of faster processors and double the memory of the old
server.
Any ideas?
Thanks!
Matt
mbrookov(a)mines.edu
11 years
Master-Master replication different data centers
by S, Mohan (GE Energy)
Hi,
I've been trying to setup OpenLDAP Master-Master replication running on
SITE A (Datacenter 1) & SITE B (Datacenter 2) , I could successfully
setup the sync between these masters. Changes are synchronized between
the sites without any issues. Now I got a new requirement that "SITE A
users/entries/objects should not be modifiable by SITE B and vice versa,
but both have to send updates(sync) to each other.
I'm not aware how do I go with this. Will I need to think of having
different OU's configured for each site and sync the OU's, control the
write access with ACL?
Please suggest.
Regards,
Mohan
11 years
Execute a Filter and get the boolean status true/false
by Puneet Khunteta
Hello,
I am facing an issue to get the result of a filter.
Currently i have used the ldap_search () function to see whether AD has
some entity corresponding to particular filter execution.
But i am not able to find the function which returns the number of entity
for the particular filter execution.
Please help me to get the correct function which return the number of
entity for the particular filter execution and what pre-requesties it has.
If possible, please suggest function which just return true/false for the
particular filter.
Regards,
PKHUN
11 years