openldap-technical May 2013

openldap-technical@openldap.org

67 participants
76 discussions

Re: ACL on create questions
by Andrew Findlay 02 May '13

02 May '13

[ Keep copying to the openldap-technical(a)openldap.org list ] On Thu, May 02, 2013 at 02:15:02PM +0000, Emmanuel Dreyfus wrote: > It almost works. My only concern is that it is possible to create an > object where LHS of DN is not in object's attributes. Like this: > > dn: foo=x,o=org > objectClass: fooClass > foo: y There was some argument about that a few years ago. I am sure that the intention of X.500 was for values in the RDN to be *chosen from* values in the entry. X.501(1988) section 8.1(g) defines an RDN: A set of attribute value assertions, each of which is true, concerning the distinguished values of a particular entry. Unfortunately, somewhere along the line one or more LDAP implementations permitted values in the RDN to be *in addition to* the values in the entry. This was a pain as it was not clear how search filters etc should behave, but some people with loud voices apparently became dependent on it. I remember someone (probably Kurt) saying at one point that the behaviour was wrong but someone had written it into the standards so it had to be supported. However, LDAP is now defined by RFC4512 which says this: 2.3.1. Relative Distinguished Names Each entry is named relative to its immediate superior. This relative name, known as its Relative Distinguished Name (RDN) [X.501], is composed of an unordered set of one or more attribute value assertions (AVA) consisting of an attribute description with zero options and an attribute value. These AVAs are chosen to match attribute values (each a distinguished value) of the entry. I read that as equivalent to the original X.501 definition, so maybe we should now treat the behaviour you see as a bug. Which version of slapd are you using? When I try this on 2.4.35 the extra value from the RDN gets copied into the entry so although the LDIF being loaded is not strictly correct it does result in a conformant entry. What does your entry look like when you read it back? Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------

2 1

Debian Squeeze: Slapd subtree disappears, but ldapsearch finds it | unable to allocate memory for mutex; resize mutex region
by Denny Schierz 02 May '13

02 May '13

hi, on the last hour I had a very strange problem: I have a Debian Squeeze with Slapd installed and it was working a long time, but today one subtree disappears completely from the ldap browser (Apache Directory Studio). I wasn't accessible anymore, but with ldapsearch I was able to see the tree. Also I tried to add the LDIF again to the LDAP, but slapd says: "... exists ...." The only way to get it back working again, was to restore the plain BDB files from the backupjob yesterday. I absolutely don't know, what happens. The only thing I changed, I reinstalled the second LDAP (n-way master) on a new host, with a config only and let the second ldap synchronize with the main LDAP. After ~20-40 minutes the job was done and the second was up to date. That was yesterday. - The subtree was also missing on the second LDAP ... so, the synchronizing did the same ... So, I deleted all *dbd* *log* on ldap2 (after the restore from the main LDAP) and wanted to synchronizing again the full tree ... but I get many warnings: dc=...... unable to allocate memory for mutex; resize mutex region any suggestions? cu denny

7 19

ACL on create questions
by Emmanuel Dreyfus 02 May '13

02 May '13

HI Two ACL questions: 1) Is it possible to allow entry creation on a branch while preventing renaming? I understand I need to give write access to - attrs=chidren on parent - attrs=entry on created entry - attrs=<the mandatory attributes for object> Last item include the attributes used for RHS part of the DN. That suggests renaming will always be possible 2) Is it possible to make some entry values mandatory for an entry creation? e.g.: I want to enforce specific values of objectClass -- Emmanuel Dreyfus manu(a)netbsd.org

2 1

How to configure ubuntu server with LDAP group based authentication
by Geo P.C. 02 May '13

02 May '13

By installing libnss-ldap we are able to integrate an Ubuntu server with ldap (openldap). But we are unable to configure ldap group based authentication. We need to configure in such a way that user from a particular group need only to login. Please let me know is it possible configure it and please update us the steps or any url. Thanks Geo

3 3

Need help to configure OpenLDAP!!
by pradyumna dash 02 May '13

02 May '13

Hi, Am facing an issue while configuring OpenLDAP. My suffix looks like below in the *slapd.conf* file and apart from the default schema i have used ppolicy. database bdb suffix "dc=example,dc=com,dc=in" rootdn "cn=Manager,dc=example,dc=com,dc=in" # SAG: 20100203 overlay ppolicy ppolicy_default "cn=default,ou=policies,o=test,dc=example,dc=com,dc=in" ppolicy_use_lockout I have prepared the below LDIF to add *test.ldif* ====== dn: dc=com,dc=in dc: com objectClass: top objectClass: domain dn: dc=example,dc=com,dc=in dc: example objectClass: top objectClass: domain dn: ou=People,dc=example,dc=com,dc=in ou: People objectClass: top objectClass: organizationalUnit dn: ou=Group,dc=example,dc=com,dc=in ou: Group objectClass: top objectClass: organizationalUnit Am using the below command to add this LDIF file: *ldapadd -x -W -D "cn=Manager,dc=example,dc=com,dc=in" -f /opt/test.ldif* But am getting the below error. * "adding new entry "dc=com,dc=in" ldap_add: Server is unwilling to perform (53) additional info: no global superior knowledge**"* Please help. Regards, /Neo

5 4

The problem of BINDDN/BINDPW in ldap.conf (2nd time)
by Madas Pál 01 May '13

01 May '13

Earlier thread: > Tianyin Xu asked, Howard Chu answered: > > > ... > > This works quite fine. Then, I write the parameters into ldap.conf as follows: > > -----------------ldap.conf----------------------- > BASE dc=ucsd,dc=edu > BINDDN cn=admin,dc=ucsd,dc=edu > BINDPW 12345 > ----------------------------------------------------- > > Then only BASE has effect. According to the ldap.conf manual, BINDDN is a > > ... > > Those were not OpenLDAP's ldap.conf. BINDPW isn't mentioned in > OpenLDAP documentation because it does not exist in OpenLDAP. Reading > non-OpenLDAP documentation and attempting to apply it to OpenLDAP > software is a pretty reliable means of confusing yourself. My question: It has been clearly stated, that BINDPW cannot be used in ldaprc (at least in the case of openldap). But it is definitely stated in the manpage of ldap.conf, that BINDDN is a legal user-only option of openldap. My ldaprc says: BASE ou=madas,dc=something BINDDN cn=admin,dc=something TLS_REQCERT allow URI ldaps://ip1.ip2.ip3.ip4 BASE and URI has its effect, BINDDN has not. Did I make a mistake? Thank you in advance. man ldap.conf: ... AUTHOR Kurt Zeilenga, The OpenLDAP Project ACKNOWLEDGEMENTS OpenLDAP Software is developed and maintained by The OpenLDAP Project <http://www.openldap.org/>. OpenLDAP Software is derived from University of Michigan LDAP 3.3 Release. OpenLDAP 2011/11/24 LDAP.CONF(5) ...

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical May 2013