openldap-technical October 2014

openldap-technical@openldap.org

69 participants
76 discussions

Access right for slapd plugins
by Ulrich Windl 29 Oct '14

29 Oct '14

Hi! I have a question: I slapd bound to access rights itself, i.e. do you have to assign some rights for e.g. the password policies for slapd to read those? What are the minimum (i.e. recommended) acess right for the password policy and the pwdPolicySubentry? Regards, Ulrich

1 0

Send Email to users on account creation
by santosh pai 27 Oct '14

27 Oct '14

Hello team, I have setup Openldap and managing the same through Ldap Account manager( https://www.ldap-account-manager.org/lamcms/) . I 'm able to create the accounts through ldif file and as well as through the ldap account manager .Is it possible to send email to user once the account is created on ldap .I have googled but I'm able to get results which tells on integrating openldap with smtp server . -- Cheers, Santhosh Pai Mob# : +91 9886545674 Email to:Santoshsco@gmail.com

3 2

Duda
by Jorge Alberto Aquino Andrade 27 Oct '14

27 Oct '14

Quiero configurar lo siguiente ou=administracion ou=cobros ou=facturacion y quiero tener varios usuarios usuario1=juan.perez usuario2=perico.delospalotes usuario3=juan.lopez usuario4=juan.flores quisera asignar los usuarios a las ou ou=administracion usuario1 usuario2 ou=cobros usuario3 usuario4 ou=facturacion usuario1 usuario2 Quisiera restringir que el usuario1 solo pueda ingresar a la ou=administracion y a ou=facturacion y que NOPUEDA ingresar a la ou=cobros Como puedo hacer esto?

1 1

Advice sought regarding logging changes made to OpenLDAP server
by Philip Colmer 27 Oct '14

27 Oct '14

I've been asked to log & track changes made to our LDAP system. My initial thought was to use the auditlog overlay as it outputs to a text file, thus making it relatively straightforward to parse, but a 2009 discussion (http://www.openldap.org/lists/openldap-technical/200911/msg00092.html) suggested a potential problem, namely no logging of time and name for deletes. Replies to that discussion suggested the use of accesslog instead. However, that logs to a database which isn't really what I'm after. A 2011 discussion (http://www.openldap.org/lists/openldap-technical/201104/msg00084.html) sought answers similar to the one I'm looking for now, namely is there a way of getting changes logged into a text file? One of the replies (from Quanah) suggested ldap-stats.pl but I'm not looking for stats - I'm looking for the actual changes being made. Since both of those discussions are quite old, I was wondering if there was any up-to-date advice regarding best practice for the sort of information I'm trying to capture? Thanks. Philip

2 1

issues with schema mapping on 2.4.39 with back-sql AND oracle
by Roberto Benedetti 27 Oct '14

27 Oct '14

hello to everyone. [I already tried to send this message to the list. as a list-subscriber I couldn't see it in my inbox neither I saw it on the web list archives. I hope you did not get this message twice] * I was able to run tests against a 2.4.39 OpenLDAP server configured to make use of a MySQL server database. * I have a properly installed Oracle client and also properly configured unixODBC to query Oracle via the "isql" command. * I can see queries run against the oracle instance (although bind-values masquerade run-time queries) after issuing all the DDL and DML statements that come with the distributed software and after modifying the slapd.conf as suggested, I run into problems when starting the server (enclosed please find the complete output with debug set to "-1"): I get the following error[1] even if the query with "2" as the bind value properly works. *questions* Q1) what am I missing? have you got any hint? (if needed, I can provide further information) Q2) are the provided sample files supposed to work as-is? Q3) if the answer to Q2 is "no" but you have been able to run back-sql and Oracle, could you please share DDL and metadata? thanks for your support, roberto benedetti [1] 5447ade2 backsql_oc_get_attr_mapping(): error executing at_query "SELECT name,sel_expr,from_tbls,join_where,add_proc,delete_proc,param_order,expect_return,sel_expr_u FROM ldap_attr_mappings WHERE oc_map_id=?" for objectClass "document" with param oc_id=2 5447ade2 Return code: -1 5447ade2 <==backsql_load_schema_map() 5447ade2 backsql_db_open(): schema mapping failed, exiting 5447ade2 backend_startup_one (type=sql, suffix="dc=example,dc=com"): bi_db_open failed! (1)

1 0

sha256WithRSAEncryption certificates - should this work
by lejeczek 26 Oct '14

26 Oct '14

hi everybody our suite: openldap-2.4.39-3.el7.x86_64 openldap-clients-2.4.39-3.el7.x86_64 openldap-servers-2.4.39-3.el7.x86_64 tools/clients break against sha256 certs, TLS: loaded CA certificate file /etc/openldap/cacerts/5d05809b.0 from CA certificate directory /etc/openldap/cacerts. TLS: error: connect - force handshake failure: errno 0 - moznss error -5938 TLS: can't connect: TLS error -5938:Encountered end of file. is this expected? regards

1 1

translucent overlay add an attribute to all users in a OU and subtree
by Nicolas RENAULT 26 Oct '14

26 Oct '14

Hi, (sorry for poor english) I already ask here for meta and it's working (only have the date format conversion problem but we are about to find alternative) So the ldap proxy can search for a user and provide attributes from an AD, Edir and openldap. but now I want to add attributes to the edir and openldap users search result to have as much as from a AD user (example homeDrive) I plan to use translucent to add these attributes, find that translucent cannot be used with meta so create new slapd instance. I have add base and OU into this instance I read carefully http://www.openldap.org/doc/admin24/overlays.html , and man slapo-translucent I understand that they explain how to add attributes to only one group here my questions how can I add attributes to the translucent instance to all users in an OU (and sub) ? is there another way to do what I want to do ? thanks all for responses -- Nicolas

4 15

filesystem considerations
by Julien Huon 24 Oct '14

24 Oct '14

Hello, I read a long time ago theses very interesting benchmarks : http://symas.com/mdb/microbench/july/. It seams that ext2 is the fastest filesystem for asynchronous writes. Do you think an ext4 filesystem without journalisation but with extents could be faster ? A LMBD database is a big flat file isn't it ? Extents are very interesting with that kind of files, aren't they ? Did someone try it ? Regards

3 4

Redhat LDAP Client Issues when disabling SSLv3
by Peter Boguszewski 23 Oct '14

23 Oct '14

I am running into issues on RHEL 6.x servers (mix of 6.5 and now 6.6) when attempting to disable SSLv3. I have compiled the servers with the --with-tls=openssl option and communication appears to be working well between servers to matter what I have for SSL Protocol. My problems are with the clients. For client configuration I install the openldap-clients package via yum install. Everything works as expected with this setting on the server side: olcTLSCipherSuite: HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:+SSLv3:-SSLv2 as soon as I modify the +SSLv3 to -SSLv3 to this: olcTLSCipherSuite: HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:-SSLv3:-SSLv2 the client no longer works. I have tried just about everything I can think of. I /can /get ldapsearch to work properly when I compile the openldap source on the client but sssd / authentication on the Red Hat side still fails. Here is the error message I am getting: 54481b75 slap_listener_activate(8): 54481b75 >>> slap_listener(ldaps://blah) 54481b75 connection_get(38): got connid=1009 54481b75 connection_read(38): checking for input on id=1009 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL3 alert write:fatal:handshake failure TLS trace: SSL_accept:error in SSLv3 read client hello C TLS trace: SSL_accept:error in SSLv3 read client hello C TLS: can't accept: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher. 54481b75 connection_read(38): TLS accept failure error=-1 id=1009, closing 54481b75 connection_close: conn=1009 sd=38 I am assuming this has something to do with RHEL clients linking to MozNSS libraries instead of openssl but can not be sure of that. Again, to be clear - I do not change anything but the olcTLSCipherSuite entry so I do not believe it is a certificate issue. Is there a solution to LDAP auth for RHEL clients with only allowind TLSv1.2? I will gladly compile from source or use the LTB Project rpms. Thanks in advance, -- Peter Boguszewski Manager of Library Systems UW Madison - Library Technology Group pboguszewski(a)library.wisc.edu 608.262.4768

6 8

Synchronizing two mirror mode clusters
by Clément OUDOT 23 Oct '14

23 Oct '14

Hi, I need to set up a backup OpenLDAP cluster and I am looking for advices on the best solutions to achieve it. The situation is: * A mirror mode cluster on one geographical site * A mirror mode cluster on another geographical site (backup site) * I would prefer not to impact configuration of main cluster * I think that full multi-master on different geographical site is not the best solution (but maybe I am totally wrong on this point) The backup site must be in sync with the main site. Here are my two ideas: * Configure a syncrepl client to main cluster on each node of the backup cluster. Question is: will not be conflicts as each node of the backup cluster is already synced with the other backup node? * Configure a LDAP proxy (back-ldap) to backup cluster, with syncrepl client to main cluster. But would back-ldap be able to write operational attributes to backup cluster? I imagine that some of you already have such needs, could you share your experience? Thanks, Clément.

5 6

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical October 2014