openldap group issue on centos 5.5 - all users automatically get put into newly created group
by Janet Houser
Hi,
I created a dit on a Centos 6.5 box that looks something like this:
........dc=name,dc=com................................
| | |
| | |
ou=users ou=systems........... ou=policies
| | | |
| | | |
user1 cn=group1 cn=group2 cn=ppolicy
user2 | |
user3 | |
| |
user1 user2
user2 user3
I created my users, and I added sever "linux groups" using the ldif file:
dn: cn=dev,ou=systems,dc=ehs,dc=edu
cn: dev
gidNumber: 4005
objectClass: posixGroup
My goal was to simulate an entry that you'd find in the /etc/group file
on a linux system. So if I added people to this group using the ldif
file:
dn: cn=dev,ou=systems,dc=ehs,dc=edu
changetype: modify
add: memberuid
memberuid: user1
memberuid: user2
So while user1 and user2 are in the default group "users", I wanted them
to be
able to change the group on their files to "dev" in order to protect
their development
files.
Now, this seemed to work, and when I went on my client and did a command
"groups user1",
I saw "users" and "dev"
However yesterday I added another group called "team0" with gid 22222
using the following ldif
file:
dn: cn=team0,ou=systems,dc=ehs,dc=edu
cn: team0
gidNumber: 22222
objectClass: posixGroup
When I was logged into my client machine (Centos 5.5 box) and did a
groups on an old
user, it showed "users", "dev" and now "team0" although I never added
that user to the new
group.
I cleaned the client cache using the nscd -i invalidate=group command,
and then I removed
all the cached directories in /var/db/nscd, and rebooted, but that new
group seems to have been
applied to everyone.
I might have screwed up the creation of my DIT, but I was thinking that
things were working
ok since I could added "unix groups" that are visible with the "getent
group" command on a client,
I could add users into these groups and changed the group of files to
lock out some users, but
I don't understand this behavior now.
I have about 6 groups defined and the last one I created yesterday is
the only one that seems to
get applied to all users.
I'd appreciate any help you could give.... I'm scratching my head on
this one.
Thanks.
8 years, 11 months
DOS/Windows command to query OpenLDAP
by Scott Gates
Hello,
I have a question. I support a Windows Server based application that
connects to several forms of LDAP, including OpenLDAP.
Occasionally, for debugging purposes, I need to see if we're on speaking
terms with the OpenLDAP server and are getting proper information from it.
In a DOS window using Active Directory, I'd type >net user john.doe /domain
and get back.
C:\Users\john.doe.VB>net user john.doe /domain
The request will be processed at a domain controller for domain company.loc.
User name john.doe
Full Name John Doe
Comment Product Support Engineer
User's comment
Country code (null)
Account active Yes
Account expires Never
Password last set 11/30/2014 7:46.29 AM
Password expires 12/30/2014 7:46.29 AM
Password changeable 11/30/2014 7:46.29 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 12/12/2014 8:06:11 AM
Logon hours allowed All
Local Group Memberships
Global Group memberships *FSUSERS *Network Support Engin
*SupportSecGroup *Domain Users
*Network Engineers
The command completed successfully.
Is there a command I can run from a Windows DOS prompt that would show me
essentially the same info for OpenLDAP. When my customers are using
OpenLDAP and having issues, I'm usually flying blind.
Scott Gates
Production Support Engineer
VBrick Systems, Inc.
8 years, 11 months
modify jpegPhoto => segfault
by Raffael Sahli
Hi
Is there a known problem with the attribute jpegPhoto (InetOrgPerson) on
2.4.40 ?
If I update or add the attribute with data bigger than ~27KB the slapd
crash (`/usr/local/libexec/slapd': free(): invalid next size (normal):)
(Tried with builds on ubuntu lts 12.04, 14.04 and with bdb or mdb,
results all in the problem above)
Going back to 2.4.39 solves the problem.
--
Raffael Sahli
8 years, 11 months
Re: 2.4.40 RPMs for openSUSE
by Michael Ströder
Ulrich Windl wrote:
>>>> Michael Ströder <michael(a)stroeder.com> schrieb am 11.12.2014 um 09:25 in
> Nachricht <54895505.5050005(a)stroeder.com>:
>> Ulrich Windl wrote:
>>>>>> Michael Ströder <michael(a)stroeder.com> schrieb am 10.12.2014 um 23:34
> in
>>> Nachricht <5488CA70.3080805(a)stroeder.com>:
>>>> HI!
>>>>
>>>> After some struggle and help by some opensuse-packaging list members
>>>> (thanks!)
>>>> I achieved almost what I wanted.
>>>>
>>>> I'd appreciate if someone could work on SLES support.
>>>
>>> AFAIK SLES 12 (current) will ship 2.4.39; it shouldn't be hard to use the
>> SRPM
>>> to upgrade to 2.4.40.
>>
>> Actually the package was not made from scratch.
>> It's branched from the original openSUSE package.
>>
>>> I never did it, but I guess you can use the SUSE build
>>> server to do the job.
>>
>> Before telling everybody what's already known:
>>
>> Did you actually read my e-mail?
>> If yes, then you should have seen that the links in my e-mail are pointing
>> to
>> the SUSE build service.
>
> The links are pointing to some location within opensuse.org,
No. https://build.opensuse.org is *the* link to the SUSE build service.
Even a SuSE beginner, like myself, should know that.
> and it's not
> ovbious from the URI how the packages were built, and no: I' don't klick on
> every link in every message, especially if I don't want to download the
> software at the URI.
Feel free to ignore information provided.
But don't whine when you're ignored then.
>> Please stop writing here when you're not willing to spend at least two
>> minutes for reading and thinking before posting.
>
> Unfriendly tone seems to be common on this list.
>
> Maybe add to your signature: "I'm a guru, don't try to tell me anything, even
> if it seems I'm asking for advice"
If you dig into mailing list archives you can see that I give unpaid volunteer
support since 15+ years now. I do this because other skilled people helped me
when I was a beginner. And I can claim that I'm most times quite patient
explaining things. I'm also not perfect either and consider myself to be still
learning.
The point is: Your postings are often plain wrong. It costs of lot of time to
correct your false statements so that mailing list archive is not filled with
rubbish leading beginners into the wrong direction.
The deal with functional community support is:
Don't generate extra work for the experts.
Be committed to take over work items you can do yourself.
So ask yourself before blaming others for their tone:
What's your community contribution up to now?
Ciao, Michael.
8 years, 11 months
Re: Antw: 2.4.40 RPMs for openSUSE
by Michael Ströder
Ulrich Windl wrote:
>>>> Michael Ströder <michael(a)stroeder.com> schrieb am 10.12.2014 um 23:34 in
> Nachricht <5488CA70.3080805(a)stroeder.com>:
>> HI!
>>
>> After some struggle and help by some opensuse-packaging list members
>> (thanks!)
>> I achieved almost what I wanted.
>>
>> I'd appreciate if someone could work on SLES support.
>
> AFAIK SLES 12 (current) will ship 2.4.39; it shouldn't be hard to use the SRPM
> to upgrade to 2.4.40.
Actually the package was not made from scratch.
It's branched from the original openSUSE package.
> I never did it, but I guess you can use the SUSE build
> server to do the job.
Before telling everybody what's already known:
Did you actually read my e-mail?
If yes, then you should have seen that the links in my e-mail are pointing to
the SUSE build service.
Did you bother clicking on one of the links?
If yes, you should have seen from which package my package is branched.
You can even see the linkdiff with *one* click.
Please stop writing here when you're not willing to spend at least two minutes
for reading and thinking before posting.
Ciao, Michael.
8 years, 11 months
Performance impact of linking libwrap
by Michael Ströder
HI!
I'm currently trying to upgrade an OpenLDAP package for a openSUSE distribution.
The original package links slapd with libwrap which made sense in former times
on systems without local host firewall mechanisms.
If libwrap does not have a major performance impact I'd keep it that way just
for sake of backward compability.
But AFAICT if slapd is linked with libwrap the TCP wrapper is always asked
whether a connection is allowed or not. One cannot disable it by slapd
configuration.
So the question is: How big is the performance impact?
Ciao, Michael.
8 years, 11 months
./configure option for /usr/sbin/slapd
by Michael Ströder
HI!
Is there a possibility to tell ./configure to install the slapd executable
also in /usr/sbin/ instead of libexecdir?
I set --libexecdir to arch-specific directory /usr/lib or /usr/lib64 for the
loadable modules but would like to have slapd in the arch-independent
directory /usr/sbin/.
Ciao, Michael.
8 years, 11 months
Problems starting an instance of openLDAP
by Ike Ikonne
Hi all,
I am getting the following error message and would like
to know if anyone has any idea as to why I am getting it:
547e04ae line 55 (index telephonenumber)
547e04ae index telephoneNumber 0x0714
547e04ae line 56 (index cn)
547e04ae index cn 0x0714
547e04af config_back_db_open: No explicit ACL for back-config configured.
Using hardcoded default
547e04af config_build_attrs: error 21 on olcConfigFile value #0
547e04af config_build_entry: build "cn=config" failed: ""
547e04af backend_startup_one (type=config, suffix="cn=config"): bi_db_open
failed! (-1)
547e04af slapd stopped.
Thanks,
Ike
8 years, 11 months
-DLDAP_CONNECTIONLESS
by Michael Ströder
HI!
Another packaging decision:
Is building with -DLDAP_CONNECTIONLESS of any real use?
Is there any harm using it?
Personally I see no use but one never knows...
Ciao, Michael.
8 years, 11 months
ldap sync
by Kolijn, P.
List,
I have been trying to configure a producer -> consumer setup with 2.4.39
and a mdb backend.
It seems to work, for awhile, but the sync stops when data.mdb is
approx 15M, about 1630 entries instead of the 50000 and about 400M...
If I do a slapadd of the data into my consumer it will grow beyond the
15M size...
--snip--
# ldap data
database mdb
maxsize 1073741824
directory /var/lib/ldap
suffix "dc=example,dc=com"
rootdn "cn=ldap_admin,dc=example,dc=com"
rootpw "{SSHA}0rvO4rPODnqNPqkbDv/vuKm8hXGS7mtG"
# Sync Consumer
# The indent is necessary
syncrepl rid=002
provider=ldap://ldapmaster.test.example.com
type=refreshAndPersist
retry="5 5 300 5"
searchbase="dc=example,dc=com"
filter="(objectclass=*)"
attrs="*"
scope=sub
schemachecking=off
bindmethod=simple
binddn="cn=replicator,dc=example,dc=com"
credentials="secret"
-- end snip --
I have set the global options:
-- snip --
sizelimit unlimited
timelimit unlimited
-- end snip --
...but that didn't help...
I have no clue why or where this is coming from or how to figure out
where it goes bottom up..
any pointers ?
thnx !
--
Pascal Kolijn
Vrije Universiteit Amsterdam
8 years, 11 months
