invalid value for attributeType olcSuffix while restoring cn=config (slapd-2.4.33)
by Igor Zinovik
Hello, openldap-technical@ readers.
I backed up cn=config from openldap-2.4.33 and now i try to restore
it, but with no success.
I made backup copy this way:
ldap1# sudo slapcat -b cn=config -F /etc/openldap/slapd.d -l config.ldif
After this i created new clean VM with opensuse 12.3 and slapd 2.4.33
opensuse# slapadd -u -F /etc/openldap/slapd.d -b cn=config -l config.ldif
5187acde str2entry: invalid value for attributeType olcSuffix #0 (syntax
1.3.6.1.4.1.1466.115.121.1.12)
slapadd: could not parse entry (line=3206)
_################### 98.19% eta none elapsed none spd 19.9
M/s
opensuse# fgrep -n olcSuffix config.ldif
522:olcAttributeTypes: ( OLcfgDbAt:0.10 NAME 'olcSuffix' EQUALITY
distinguishedNam
1049: n $ olcSuffix $ olcSubordinate $ olcAccess $ olcAddContentAcl $
olcLastMod $
3205:olcSuffix: dc=example,dc=ru
3411:olcSuffix: cn=example-log
LDIF content around line 3206 is following:
3201: dn: olcDatabase={1}mdb,cn=config
3202: objectClass: olcDatabaseConfig
3203: objectClass: olcMdbConfig
3204: olcDatabase: {1}mdb
3205: olcSuffix: dc=example,dc=ru
3206: olcAddContentAcl: FALSE
Here is trace:
5187b22a <<< dnPrettyNormal: <olcDatabase={1}mdb,cn=config>,
<olcDatabase={1}mdb,cn=config>
5187b22a >>> dnPretty: <dc=example,dc=ru>
5187b22a str2entry: invalid value for attributeType olcSuffix #0 (syntax
1.3.6.1.4.1.1466.115.121.1.
12)
slapadd: could not parse entry (line=3201)
10 years, 6 months
Use LDAP netgroup to control NFS exports?
by jupiter
Hi,
I am running LDAP server and NFS server on CentOS 6, is it true that
LDAP can be used to control NFS exports authentication, uid and gid
setting without needing to specifie client IP addresses , anonuid and
anongid on NFS exports file?
I saw some sample such as to define "/tmp/nfs2
@mynetgrp(rw,no_root_squash)" to exports file, it seems to me, you can
add new user with IP address to LDAP entry anytine without updating
exports file in NFS server?
If it is correct, has the netgroup schema already been defined in
/etc/openldap/schema? Could anyone kindly point me a link for document
or howto for the setting in both LDAP and NFS exports?
Thank you.
Kind regards.
Jupiter
10 years, 6 months
About ppolicy
by Jacques Foucry
Hello Folks,
On my openldap server I was using shadowAccount to enforce password
change for my users. It works, but it's not really secure. Users can
reuse old passwors, etc.
So I had a look to ppolicy and appli this tutorial:
http://theslashroot.blogspot.fr/2011/12/openldap-with-ppolicy.html
Some things are not clear for me. Did I have to disable shadowAccount on
my schema?
If not is shadowLastChange will be updated?
I hope I need to include ppolicy schema on all my replica.
Thanks in advance for your help,
Jacques Foucry
--
Jacques Foucry
*NOVΛSPARKS *
IT Manager
Tel : +33 (0)1 42 68 12 61
jacques.foucry(a)novasparks.com
10 years, 6 months
Modern Password Hashes in Openldap?
by Chris Hiestand
Since SSHA-1 is weak these days I'd like to switch to PBKDF2, Bcrypt or the like with key stretching. Since Openldap does not support relatively strong hashes, do you guys use SASL to store stronger hashes? If so, what kind of backend are you using to store hashes?
Background:
OclHashcat can generate tens of billions of SHA-1 hashes per second with off-the-shelf hardware. But it can only generate thousands of bcrypt hashes per second on similar hadware: https://hashcat.net/forum/thread-1541.html .
10 years, 7 months
Questions about multiple identical values in a field
by Nicolas Mora
Hello,
I'm currently programming a connector between a CardDAV server and a
LDAP server in php.
I'm using the schema inetOrgPerson which is good for most of the data
but I have a problem with multiple equal data.
The VCard data is set like this :
ADR;TYPE=HOME:;;123 1st av;Montreal;QC;GGG RT3;CA
which is translated into :
street:: 123 1st av
l: Montreal
st:QC
postalcode: GGG RT3
By default in the inetOrgPerson schema, the country code is not added,
so I add a personalized schema with 2 fields :
- countryCode ('c')
- VCardUnassigned ('vcardunassigned')
The second one is when a vcard field has no correspondance in the ldap
schema
Problem is, when you have multiple fields with the same value, you get
an error 0x14 - LDAP_TYPE_OR_VALUE_EXISTS. Which is logical but kinda
annoying if you want for example to add a second address in the same
state or country, like :
ADR;TYPE=HOME:;;321 42nd st;Montreal;QC;GGG RT1;CA
Is there a way to save multiple equal values for an entry for some
fields ?
10 years, 7 months
Re: Questions about multiple identical values in a field
by Erwann Abalea
2013/5/3 Quanah Gibson-Mount <quanah(a)zimbra.com>
> --On Friday, May 03, 2013 6:24 PM +0200 Erwann Abalea <eabalea(a)gmail.com>
> wrote:
>
> Can't you use the postalAddress attribute?
>> With your examples, it should be something like:
>> postalAddress: 123 1st av$Montreal$QC$GGG RT3$CA
>>
>> postalAddress: 321 42nd st$Montreal$QC$GGG RT1$CA
>>
>
> This is almost the correct way to format it... it should be:
>
> postalAddress: 123 1st av $ Montreal $ QC $ GGG RT3 $ CA
>
If I correctly read RFC2252, the space character around the "$" isn't
required:
postal-address = dstring *( "$" dstring )
dstring = 1*utf8
And the provided examples don't include such spaces.
I would also note that there is no guaranteed return order for values
> unless you use weighted attributes.
Is the weighted attribute standardized LDAP, or specific to OpenLDAP? I
can't find supportive definition in RFC45* documents.
> Generally the best thing to do if you are going to have multiple
> addresses (say home, work, business, mailing, etc) is to have custom
> attributes specifically for those addresses
>
Or maybe a subordinate leaf for each address (with address elements
splitted in several attributes), to be able to use search filters.
--
Erwann.
10 years, 7 months
Re: Questions about multiple identical values in a field
by Erwann Abalea
2013/5/3 Quanah Gibson-Mount <quanah(a)zimbra.com>:
> --On Friday, May 03, 2013 7:01 PM +0200 Erwann Abalea <eabalea(a)gmail.com>
> wrote:
>
>> 2013/5/3 Quanah Gibson-Mount <quanah(a)zimbra.com>
>>> --On Friday, May 03, 2013 6:24 PM +0200 Erwann Abalea <eabalea(a)gmail.com>
>>> wrote:
>>>> Can't you use the postalAddress attribute?
>>>> With your examples, it should be something like:
>>>> postalAddress: 123 1st av$Montreal$QC$GGG RT3$CA
>>>>
>>>> postalAddress: 321 42nd st$Montreal$QC$GGG RT1$CA
>>>
>>> This is almost the correct way to format it... it should be:
>>>
>>> postalAddress: 123 1st av $ Montreal $ QC $ GGG RT3 $ CA
>>
>> If I correctly read RFC2252, the space character around the "$" isn't
>> required:
>>
>> postal-address = dstring *( "$" dstring )
>> dstring = 1*utf8
>>
>> And the provided examples don't include such spaces.
>
> Please fix your email client to quote replies properly. ;)
That's GMail, multipart/alternative stuff, with inline replying :(
The text/plain part was mostly OK, but it's difficult to manually
read+parse the quoted-printable text/html part...
I have similar problems when using Google Groups.
Switched to pure text, manually added missing quote levels, it should be better.
>>> I would also note that there is no guaranteed return order for values
>>> unless you use weighted attributes.
>>
>> Is the weighted attribute standardized LDAP, or specific to OpenLDAP? I
>> can't find supportive definition in RFC45* documents.
>
> This is an OpenLDAP specific overlay (valsort).
Nice to know it's non portable.
>>> Generally the best thing to do if you are going to have multiple
>>> addresses (say home, work, business, mailing, etc) is to have custom
>>> attributes specifically for those addresses
>>
>> Or maybe a subordinate leaf for each address (with address elements
>> splitted in several attributes), to be able to use search filters.
>
> Personally, I would avoid subtrees for this. I prefer to see all my data
> for a given user stored with the user entry. But that's me. ;) I've used
> custom AUX objectClasses for this in the past to attach to the person entry
> if they had a specific type of addr.
Then a simple copy of "TYPE=HOME:;;123 1st av;Montreal;QC;GGG RT3;CA"
into a custom attribute (with a properly defined auxiliary class)
should get the job done.
--
Erwann.
10 years, 7 months
RE: Chaining stops working after slapd restart
by Quanah Gibson-Mount
--On Monday, April 29, 2013 6:56 PM +0000 jeevan kc <jeev_biz(a)hotmail.com>
wrote:
>
> No, I'm fully using cn=config on Openldap 2.4.30 . I'm working on the
> chain overlay for the past couple of weeks and when now I finally was
> able to get it working, I found I could modify the slaves until I restart
> the server. After I restart the server the chaining doesn't work it says
> "strong authentication required". So the chaining basically worked only
> just before I restarted the server.
> Thanks
Please do not top post.
Please keep replies to the list.
Please verify whether or not you can reproduce this with OpenLDAP 2.4.35.
Thanks,
Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
10 years, 7 months
Help with first immersion into LDAP
by Šerých Jakub
Dear group,
I would like to ask you for the little help with the newbie first immersion into LDAP. The problem is, that I need to build LDAP proxy, that will connect information from two MS ADs into one meta LDAP. But all the beginers tutorials start from the building of the new fresh LDAP database on the server, so it's very hard for me to catch the first clues...
My situation:
Debian with openLDAP and two Microsoft Win2008 servers with AD. The commands from Linux server:
ldapsearch -x -H ldap://192.168.0.10 -D "ldap-user" -w password -b "ou=studenti,dc=student,dc=intra"
and
ldapsearch -x -H ldap://192.168.100.5 -D "ldap-user" -w password -b "dc=panska,dc=intra"
are fully functional and returning the results I need.
But when I try to config openLDAP server just to play role of proxy between the client and AD server it is not working and I cannot find why. One of my attempts to set ldap.conf:
loglevel 255
database ldap
suffix "ou=studenti,dc=student,dc=intra"
uri "ldap://192.168.0.10/"
binddn "name=ldap-user"
bindpw password
I'm trying the functionality by the command:
ldapsearch -x -H ldap://localhost -D "ldap-user" -w password -b "ou=studenti,dc=student,dc=intra"
or
ldapsearch -x -H ldap://localhost "ou=studenti,dc=student,dc=intra"
Could somebody give me a tip, how to set the ldap.conf to do just this simple proxying for the begining?
How can I track what is going on, if the openLDAP at least tries to send something to MS AD server and if yes, what is the structure of his query (the loglevel 255 doesn't seem to be very helpfull)?
Sorry for that newbie type of question and thanks in advance for any info
Jakub
10 years, 7 months
Checking that a change has reached all servers
by Hallvard Breien Furuseth
We have clients which must check that an update has reached all LDAP
servers before they start some task. So we need to publish a list
of all servers.
Where would you put that list, when clients should normally not contact
these servers directly (ldap-prod*.uio.no) but instead contact the load
balancer sitting in front of them (ldap.uio.no)? 'altServer' in the
root DSE anyway, or has someone defined another attribute?
With transactional backend databases, an existing slow LDAP operation
predating the change might return the old value while this quick poll
sees the change. I'm content to just tell clients to wait a second
after seeing the change though, unless someone has brighter ideas.
Finally, has anyone written a nice little server (LDAP or otherwise)
which does this - client sends a request, server checks all LDAP
servers and either returns true/false or waits & retries while false?
--
Hallvard
10 years, 7 months
