openldap-technical November 2013

openldap-technical@openldap.org

73 participants
72 discussions

Q: syntax 1.3.6.1.4.1.1466.115.121.1.51
by Ulrich Windl 12 Nov '13

12 Nov '13

Hi! I see that core.schema defines: --- attributetype ( 2.5.4.22 NAME 'teletexTerminalIdentifier' DESC 'RFC2256: Teletex Terminal Identifier' SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 ) --- However I cannot locate the syntax for the OID. It's mentioned in secion 6.5 of RFC 2256, however. How is an LDAP client expected to resolve this? I see the following syntaxes defines in the LDAP schema: DB<17> print sort map { $_->{name} . "\n" } $s->all_syntaxes 1.2.36.79672281.1.5.0 1.3.6.1.1.1.0.0 1.3.6.1.1.1.0.1 1.3.6.1.1.16.1 1.3.6.1.4.1.1466.115.121.1.10 1.3.6.1.4.1.1466.115.121.1.11 1.3.6.1.4.1.1466.115.121.1.12 1.3.6.1.4.1.1466.115.121.1.14 1.3.6.1.4.1.1466.115.121.1.15 1.3.6.1.4.1.1466.115.121.1.22 1.3.6.1.4.1.1466.115.121.1.24 1.3.6.1.4.1.1466.115.121.1.26 1.3.6.1.4.1.1466.115.121.1.27 1.3.6.1.4.1.1466.115.121.1.28 1.3.6.1.4.1.1466.115.121.1.34 1.3.6.1.4.1.1466.115.121.1.36 1.3.6.1.4.1.1466.115.121.1.38 1.3.6.1.4.1.1466.115.121.1.39 1.3.6.1.4.1.1466.115.121.1.4 1.3.6.1.4.1.1466.115.121.1.40 1.3.6.1.4.1.1466.115.121.1.41 1.3.6.1.4.1.1466.115.121.1.44 1.3.6.1.4.1.1466.115.121.1.45 1.3.6.1.4.1.1466.115.121.1.49 1.3.6.1.4.1.1466.115.121.1.5 1.3.6.1.4.1.1466.115.121.1.50 1.3.6.1.4.1.1466.115.121.1.52 1.3.6.1.4.1.1466.115.121.1.6 1.3.6.1.4.1.1466.115.121.1.7 1.3.6.1.4.1.1466.115.121.1.8 1.3.6.1.4.1.1466.115.121.1.9 1.3.6.1.4.1.4203.666.11.10.2.1 Regards, Ulrich

2 3

OpenLDAP on CF disk
by richard lucassen 11 Nov '13

11 Nov '13

Hello list, I want to migrate some OpenLDAP servers from 3.5" disks to CF-disks. The data in the OpenLDAP is only updated once a month or so. It is just an "99%-read-only" LDAP implementation. However, with a standard Debian install, some files in the /var/lib/ldap directory are updated upon each query: # ls -altr -rw-r--r-- 1 openldap openldap 96 2008-11-19 11:45 DB_CONFIG drwxr-xr-x 28 root root 4096 2008-12-03 15:03 .. -rw------- 1 openldap openldap 8192 2013-04-08 10:50 cn.bdb -rw------- 1 openldap openldap 24576 2013-09-29 13:49 objectClass.bdb -rw------- 1 openldap openldap 180224 2013-09-29 13:49 id2entry.bdb -rw------- 1 openldap openldap 8192 2013-09-29 13:49 entryUUID.bdb -rw------- 1 openldap openldap 8192 2013-09-29 13:49 entryCSN.bdb -rw------- 1 openldap openldap 36864 2013-09-29 13:49 dn2id.bdb -rw------- 1 openldap openldap 1168654 2013-10-17 09:40 log.0000000001 -rw------- 1 openldap openldap 24576 2013-11-07 05:45 __db.005 -rw------- 1 openldap openldap 98304 2013-11-07 05:45 __db.003 -rw-r--r-- 1 openldap openldap 4096 2013-11-07 05:45 alock drwx------ 2 openldap openldap 4096 2013-11-07 05:45 accesslog drwx------ 3 openldap openldap 4096 2013-11-07 05:45 . -rw------- 1 openldap openldap 565248 2013-11-07 11:30 __db.004 -rw------- 1 openldap openldap 2629632 2013-11-07 11:30 __db.002 -rw------- 1 openldap openldap 8192 2013-11-07 11:30 __db.001 Apparently the cluster is doing some synchronizing at 05:45 in the morning, but that's once a day. My concern is the files called __db.001 __db.002 __db.004 Is there a simple way to prevent OpenLDAP from updating these files at each query? R. -- ___________________________________________________________________ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +------------------------------------------------------------------+ | Richard Lucassen, Utrecht | +------------------------------------------------------------------+

6 13

New objectClass
by Merve Temizer 11 Nov '13

11 Nov '13

How can i add mailacceptinggeneralid and maildrop attirbutes to use postfix with openldap ? I tried to adding a schema like (into /etc/ldap/schema) # # postfix.schema - basic attributes based on default queries # postfix will make for alias and virtual account lookups # I don't think there is an official postfix schema out there, # but if there is, this most certainly is not it. # # leah(a)frauerpower.com # # mailacceptinguser and mailAccount added by Barrie Bremner < bjb(a)netcraft.com> # attributetype ( 1.3.6.1.4.1.25260.1.000 NAME 'mailacceptinggeneralid' DESC 'Defines an address that we accept mail for' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributetype ( 1.3.6.1.4.1.25260.1.001 NAME 'maildrop' DESC 'Defines the address mail goes to' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributetype ( 1.3.6.1.4.1.25260.1.002 NAME 'mailacceptinguser' DESC 'Defines if this user accepts mail' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) objectClass ( 1.3.6.1.4.1.25260.1.1.100 NAME 'virtualaccount' DESC 'Holds mail info for a virtual account' STRUCTURAL MUST ( owner $ mailacceptinggeneralid $ maildrop $ cn ) ) objectClass ( 1.3.6.1.4.1.25260.1.1.101 NAME 'maillist' DESC 'Virtual account for holding mailing list info' STRUCTURAL MUST ( mailacceptinggeneralid $ maildrop $ cn ) ) objectClass ( 1.3.6.1.4.1.25260.1.1.102 NAME 'mailAccount' DESC 'Email account details' AUXILIARY MUST ( mailacceptinguser $ maildrop $ cn ) MAY ( mailacceptinggeneralid ) ) and add a line into /usr/share/slapd/slapd.conf " include /etc/ldap/schema/inetorgperson.schema" But i am geting ldap_add: Invalid syntax (21) additional info: objectClass: value #3 invalid per syntax when i try to add an object objectClass:mailAccount Where am i wrong? Thanks

2 1

ldapmodify replace olcAccess
by Daniel Jung 11 Nov '13

11 Nov '13

Hi all, Is it possible to use the replace the instead of delete then add again for olcAccess? dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcDbCacheSize olcDbCacheSize: 10240 - replace: olcAccess olcAccess: {0}to dn.base="" attrs=namingContexts by * none olcAccess: {1}to * by * read - Thanks

3 2

Re: ldap syncrepl issue.
by Ashok Kumar Shah 11 Nov '13

11 Nov '13

I don't see any fix done for syncrepl on 2.4.36. Speaking about the actual problem i have noticed that the do_syncrep* is not getting triggered as defined in the config: interval=00:00:05:00 retry="60 +" and get triggered after long delay about ~23hrs or so. Not sure if this a bug. Thanks, Ashok On Sun, Nov 10, 2013 at 6:14 AM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > I suggest you read the openldap changelog and upgrade to 2.4.36. > > --Quanah > > On Nov 9, 2013, at 12:34 AM, Ashok Kumar Shah <ashok.shah(a)flipkart.com> > wrote: > > I have upgraded to OpenLDAP 2.4.31. I was hoping that the syncrepl issue > will subside with the upgrade, but problem continue to persist even now. > Just to point out that the master still runs the older version i.e 2.4.31, > but i guess that should be ok since the issue is with the replication or > perhaps with contextCSN not getting updated on the client(slaves). > > Thanks, > Ashok > > > On Mon, Jul 15, 2013 at 3:47 AM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > >> --On Sunday, July 14, 2013 10:35 PM +0530 Ashok Kumar Shah < >> ashok.shah(a)flipkart.com> wrote: >> >> >>> I am running OpenLDAP 2.4.23. >>> >> >> I would advise you to run a modern release. I would strongly advise you >> to read the changes log since 2.4.23. >> >> >> --Quanah >> >> >> -- >> >> Quanah Gibson-Mount >> Sr. Member of Technical Staff >> Zimbra, Inc >> A Division of VMware, Inc. >> -------------------- >> Zimbra :: the leader in open source messaging and collaboration >> > >

3 2

How to say not to use a particular objectClass for a dn
by Harishkumar Pathangay 10 Nov '13

10 Nov '13

Hi,How to say not to use a particular objectClass for a dn. For example,harish@openSUSE:~> ldapsearch -x -b 'dc=my-domain,dc=com' '(objectclass=*)' # extended LDIF## LDAPv3# base <dc=my-domain,dc=com> with scope subtree# filter: (objectclass=*)# requesting: ALL# # my-domain.comdn: dc=my-domain,dc=comobjectClass: dcObjectobjectClass: organizationdc: my-domaino: Example Corporation # Manager, my-domain.comdn: cn=Manager,dc=my-domain,dc=comobjectClass: organizationalRolecn: Managerdescription: Directory Manager # search resultsearch: 2result: 0 Success Here, we see that dn: dc=my-domain,dc=com uses objectClass: organizationI want to say not to use objectClass: organization. How to do this? Thanks,Harish Pathangay

3 4

Restricting Login based on AD GID
by Manish Nene 10 Nov '13

10 Nov '13

Hello, I've LDAP authentication functioning well against Novell e-directory. Is there a way I can restrict the login access to appliance based on the GID of an user? Thanks, - Manish. ------------------------ Powered by BigRock.com

2 2

Re: ldap syncrepl issue.
by Ashok Kumar Shah 09 Nov '13

09 Nov '13

I have upgraded to OpenLDAP 2.4.31. I was hoping that the syncrepl issue will subside with the upgrade, but problem continue to persist even now. Just to point out that the master still runs the older version i.e 2.4.31, but i guess that should be ok since the issue is with the replication or perhaps with contextCSN not getting updated on the client(slaves). Thanks, Ashok On Mon, Jul 15, 2013 at 3:47 AM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > --On Sunday, July 14, 2013 10:35 PM +0530 Ashok Kumar Shah < > ashok.shah(a)flipkart.com> wrote: > > >> I am running OpenLDAP 2.4.23. >> > > I would advise you to run a modern release. I would strongly advise you > to read the changes log since 2.4.23. > > > --Quanah > > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

1 0

Re: Reseting content/database/schema
by Ryan Tandy 08 Nov '13

08 Nov '13

Hi, Please, let's keep the discussion on the list. On 13-11-08 12:26 AM, Merve Temizer wrote: > Tandy thanks for your answer. > > Might the problem be about default conf despite that i was able to add > my ldif at first installation? Sure, it's definitely possible that I was wrong. It doesn't really matter, though: stop the daemon and remove everything from /etc/ldap/slapd.d and from /var/lib/ldap, and you're immediately in a clean and unconfigured state. Purging and reinstalling the package doesn't do much else. If you want more detailed help, please provide more details about the problem: a full transcript of the commands you're running (including any input files) and their output, plus the exact version of OpenLDAP you're running, would be a good start. -- Ryan Tandy - Programmer/Analyst rtandy(a)sd63.bc.ca School District 63 (Saanich) +1 250 652 7385

1 0

PBKDF2 for OpenLDAP
by Tsukasa HAMANO 08 Nov '13

08 Nov '13

Hi, I was concerned that OpenLDAP have no modern key derivation function. (It seems eglibc's crypt(3) has bcrypt, but it's depends environment) So I just implemented PBKDF2 module for OpenLDAP. https://github.com/hamano/openldap-pbkdf2 # Installation $ cd <OPENLDAP_BUILD_DIR>/contrib/slapd-modules/passwd/ $ git clone https://github.com/hamano/openldap-pbkdf2.git $ cd openldap-pbkdf2/ $ make # make install in slapd.conf: moduleload pw-pbkdf2.so password-hash {PBKDF2} # Usage $ slappasswd -o module-load=pw-pbkdf2.la -h {PBKDF2} -s secret {PBKDF2}60000$Y6ZHtTTbeUgpIbIW0QDmDA$j/aU7jFKUSbH4UobNQDm9OEIwuw This format is compatible with Python's passlib.hash.ldap_pbkdf2_sha1 http://pythonhosted.org/passlib/lib/passlib.hash.ldap_pbkdf2_digest.html And also, I have roadmap to implement {PBKDF2-SHA256} and {PBKDF2-SHA512} schemes in the future. Could you merge the module into contrib/ directory? Thank you. -- Open Source Solution Technology Corporation HAMANO Tsukasa <hamano(a)osstech.co.jp> fingerprint = 2285 2111 6D34 3816 3C2E A5B9 16BE D101 6069 BE55

2 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical November 2013