openldap-technical December 2014

openldap-technical@openldap.org

44 participants
55 discussions

Re: Removing unused schemas - recommended?
by Quanah Gibson-Mount 09 Dec '14

09 Dec '14

--On Wednesday, December 10, 2014 8:49 AM +1300 Chris Neilson <crusty.chris(a)gmail.com> wrote: Please keep replies on the list. > OK thanks. so no performance gains be excluding schemas. sweet. > When working with syncrepl, does it matter if the consumer has schemas > imported in a different order? or if the consumer has more schemas than > the provider (obviously assuming youre not replicating cn=config)? It shouldn't matter, order wise, but I personally prefer to have all systems load in the same order. If you have "extra" schema on a consumer that's never being used, then it shouldn't affect replication. --Quanah -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

Removing unused schemas - recommended?
by Chris Neilson 09 Dec '14

09 Dec '14

Im having a few issues wrapping my head around how schemas should be implemented. If I do a default install of openldap (2.4.23) on CentOS 6 the following schemas are automatically included: cn={0}corba.ldif cn={1}core.ldif cn={2}cosine.ldif cn={3}duaconf.ldif cn={4}dyngroup.ldif cn={5}inetorgperson.ldif cn={6}java.ldif cn={7}misc.ldif cn={8}nis.ldif cn={9}openldap.ldif cn={10}ppolicy.ldif cn={11}collective.ldif I assume this is done because it allows for a fairly flexible directory that Just Works for nearly everyone. However, many of these schemas contain attributes that I do not use, in fact I can cut down the list of schemas that contain attributes I knowingly use to the following list: cn={0}core.ldif cn={1}cosine.ldif cn={2}inetorgperson.ldif cn={3}nis.ldif cn={4}customschema.ldif My issue is that I am not sure if there is any benefit for removing the unused schemas (i.e. I could have just added my customschema as cn={12}customschema.ldif to the default install but I was worried there would be a performance penalty or security issue with including the unused schemas). Is it advisable to remove unused schemas? Does including unused schemas result in any sort of performance penalty (e.g. while booting or when doing searches)? If I want to use syncrepl to replicate my data do I have to have the exact same list of schemas in the same order on the consumer (i.e. does the number in the curly braces matter)? If I add a schema to a consumer does it have to be added to the provider as well even if the attributes it contains are unused?

3 2

adding a custom attribute
by Igor Shmukler 09 Dec '14

09 Dec '14

Hello, I want to have an ability add "custom attribute[s]" to my LDAP records. For example, such an attribute could be sipTelephone, mobile and/or something else. I did a little digging. Please advise whether I am on the right track. My understanding, at present, is that I would have to modify core.schema [located on my Ubuntu under /etc/ldap/schema ] and perhaps some other schema files from the same directory. I found various syntax OIDs. For telephones, for example - 1.3.6.1.4.1.1466.115.121.1.50 should be the right one. There is another OID for strings - 1.3.6.1.4.1.1466.115.121.1.15 for UTF-8 coded strings. Is editing core.schema the correct way to go? I am eagerly looking for advice. Thank you for reading my question this far. I have been saved twice by people on this list. Appreciate your help very much. Sincerely, Igor Shmukler

5 7

A TLS fatal alert has been received
by Scutulat Um 09 Dec '14

09 Dec '14

Hello guys, I'm having trouble figuring out a TLS fatal error. It seems that the certs are being read but a broken pipe appears suddenly (don't know exaclty what does it means). Here's the command I'm running: $ ldapsearch -LLLxWD cn=manager,dc=example,dc=com -b dc=apsidis,dc=com -ZZ -d 3 ldap_start_tls: Connect error (-11) additional info: A TLS fatal alert has been received. Here's part of the debug output: <Some certs info...> ... tls_write: want=523, written=523 0000: 16 03 03 02 06 10 00 02 02 02 00 9e 22 0e d5 86 ............"... 0010: 69 a5 a2 29 f6 76 11 19 f6 2d db a9 e8 f5 27 26 i..).v...-....'& 0020: da 74 85 e4 22 92 50 37 ef e8 8b 31 6e 32 c6 84 .t..".P7...1n2.. 0030: 2c 61 79 65 b0 56 9e bf 3e 97 3d 9a 6d 61 80 70 ,aye.V..>.=.ma.p 0040: f7 d9 dc 5f e6 40 f7 af 12 92 61 4f 56 fe 52 55 ..._.@....aOV.RU 0050: e0 3a 57 21 c4 d4 27 58 20 ba fb e2 74 9e f8 08 .:W!..'X ...t... 0060: ec 4b 2a b1 93 f1 06 e3 0b a8 d1 d1 b3 f8 e4 c4 .K*............. 0070: d4 b7 0a 22 7f a6 01 17 00 92 bb 12 99 68 2a 6f ...".........h*o 0080: 43 96 7d b1 da 80 fb 53 7e a4 71 40 51 50 46 5e C.}....S~.q@QPF^ 0090: a8 09 fc ab e9 10 90 27 2f a5 46 16 41 45 1d 95 .......'/.F.AE.. 00a0: 0d f2 d4 a1 d7 62 40 dd ba 5e d2 7a 47 10 14 83 .....b@..^.zG... 00b0: 60 2f be 66 a8 a8 6e 82 1a bc 61 45 d7 6c c2 e5 `/.f..n...aE.l.. 00c0: b3 07 b8 e1 6e a7 ca e1 22 50 79 5a 01 60 5f 0d ....n..."PyZ.`_. 00d0: ec f3 f5 a3 c2 f9 9d b1 52 cc 88 f9 65 de 74 58 ........R...e.tX 00e0: c1 b7 a8 e7 b7 c7 81 a0 8b ee 40 8c f3 a5 d2 b5 ..........@..... 00f0: 22 58 bd 87 d5 55 6e 32 a0 b5 2e 7a b7 a5 6b aa "X...Un2...z..k. 0100: 6f ab 32 37 bb bb f7 e5 ed 5c 79 16 93 94 ac 35 o.27.....\y....5 0110: 80 2b 9e d3 e6 c9 7e ef 3f 46 26 64 e4 40 ec f8 .+....~.?F&d.@.. 0120: 69 30 3e c5 61 0e 06 3a 2b 88 72 ef df aa d0 50 i0>.a..:+.r....P 0130: b9 b0 8e 7b 0a e1 2a 61 6d d6 75 1a 2d 04 bf 8e ...{..*am.u.-... 0140: 5e 09 ee c0 c2 1e b1 e1 f8 29 78 0f 91 e7 49 1d ^........)x...I. 0150: 9e bf a9 98 31 bc af d6 02 19 f9 3b 5e d2 0f 5e ....1......;^..^ 0160: 29 c2 ba 00 7c 52 d5 d6 33 59 4c 16 91 a8 9c 6d )...|R..3YL....m 0170: b6 9c 47 51 97 5a d9 ab 14 9b ba 0a a7 08 36 90 ..GQ.Z........6. 0180: 2f a8 33 0e 27 79 93 02 8f 91 46 92 da 5b e6 7e /.3.'y....F..[.~ 0190: db 7a 3a b0 3c c5 c9 98 f4 0a 86 44 94 03 66 d8 .z:.<......D..f. 01a0: b0 36 6e 59 ef 4d c5 03 e3 34 50 be c5 8d 43 e0 .6nY.M...4P...C. 01b0: ba 25 9d b4 74 52 15 5e bc 7c b1 3c 59 3d b7 a2 .%..tR.^.|.<Y=.. 01c0: 9a a0 82 d6 8a 83 8f cd b9 39 89 15 e9 f8 35 80 .........9....5. 01d0: 12 65 d3 1e 78 bb 10 d9 a7 0d 43 92 f5 de 01 52 .e..x.....C....R 01e0: be 55 c8 5c 30 93 21 d2 5e d8 87 a0 f0 5e 57 1a .U.\0.!.^....^W. 01f0: 11 c1 04 c7 70 33 01 8f cc 81 58 b4 4d 4c d2 b2 ....p3....X.ML.. 0200: ff 6a ba 80 e5 c3 18 29 5d c8 5e .j.....)].^ tls_write: want=269 error=Broken pipe Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush2: 47 bytes to sd 3 tls_write: want=269 error=Broken pipe ldap_write: want=47 error=Broken pipe ldap_free_request (origid 2, msgid 2) ldap_free_connection 0 0 ldap_free_connection: refcnt 1 ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 3 ldap_write: want=7 error=Broken pipe ldap_free_connection: actually freed $ Can anyone can point me into the right direction on how to solve this? Thanks!

2 1

Q: LDIF: use replace instead of add/delete?
by Ulrich Windl 09 Dec '14

09 Dec '14

Hello! I have a question: Is it always OK to use LDIF "replace", even if the attribute doesn't exist yet? If so, is it also OK to use "replace" with out specifying an attribute value instead of using "delete"? I actually managed to do the first one, and the operation is logged as "replace" not as "add" in accesslog. I wrote a program that uses accesslog to create an "undo-LDIF" to undo recent changes on demand. Now with that "replace" having succeeded, the undo operation created for it would be the second case ("replace" with no new value). Regards, Ulrich

2 1

ACL on new value for two attributes
by Emmanuel Dreyfus 09 Dec '14

09 Dec '14

Hello In ACL, the attrs=foo val.regex="^(.*)$" construct allows filtering on the new value for an attribute. Using sets in the who clauses this new value can be matched as ${v0} against current attributes values. But what about if we want to match against another new attribute value? I currently run 2.4.33, and there is no way to have multiple attrs=foo val.regex="^(.*)$" statements in the what clause. Has this changed in later releases? Or is there another way of doing it? -- Emmanuel Dreyfus manu(a)netbsd.org

4 8

Access bdb and ldap database at the same time
by Zhang,Jun 09 Dec '14

09 Dec '14

I've configured an ldap database in slapd.conf which serves as an Active Directory proxy, the slapd is running on RHEL 6. My Linux openldap clients can now browse the content of the AD. The purpose of doing this is for user login, which is authenticated against the AD, with the home directory information provided by the bdb database of the openldap server. autofs is functional through the rfc2307bis formatted automount maps. The problem is that "getent passwd username" not always work, so the AD users are not known even though ldapsearch can always find the user information with a proper search base set. At the slapd server (rhel 6), nslcd (try to avoid ssl at this stage) is being used, while at the Linux openldap clients, I compiled pam_ldap and nss_ldap. I noticed that the openldap clients use /etc/openldap/ldap.conf as the configuration file, and nss/pam use /etc/ldap.conf. Tried to use different BASE in the two conf files but it didn't work for me. I know there must be other people who's already done this, some way, and I'll very much appreciate it if somebody can point me to some known to work ways. Jun

2 1

Which schema to use?
by Nick Bright 09 Dec '14

09 Dec '14

Are there any pre-defined schema (or combination of schema) available that I could use with openldap that would provide some or all these attributes: accountid (integer) customerid (integer) nodeid (integer) accounttype (string) accesspoint (string) ipaddress (ip address) latitude (float) longitude (float) macaddress (string) A link to a novice/beginner guide for how to create schema would be helpful too. Thanks, -- ----------------------------------------------- - Nick Bright - - Vice President of Technology - - Valnet -=- We Connect You -=- - - Tel 888-332-1616 x 315 / Fax 620-331-0789 - - Web http://www.valnet.net/ - ----------------------------------------------- - Are your files safe? - - Valnet Vault - Secure Cloud Backup - - More information & 30 day free trial at - - http://www.valnet.net/services/valnet-vault - ----------------------------------------------- This email message and any attachments are intended solely for the use of the addressees hereof. This message and any attachments may contain information that is confidential, privileged and exempt from disclosure under applicable law. If you are not the intended recipient of this message, you are prohibited from reading, disclosing, reproducing, distributing, disseminating or otherwise using this transmission. If you have received this message in error, please promptly notify the sender by reply E-mail and immediately delete this message from your system.

2 1

what to do with ssl certs and keys of master and slave during replication
by wailok tam 08 Dec '14

08 Dec '14

Hi, all, Can a kind person tell me what special things need to be done with ca certs, server certs, and server keys? I read some blog which reports concatenating the master ca cert to the slave ca cert. But the slaver server cert and key was created ＆ signed with the slave ca cert b4 concatenation. Is that correct? No need to share the master server cert or key with the slave Thanks for viewing and thanks in advance for any advice.

1 0

storing ldap passwords on HSM
by lux-integ 08 Dec '14

08 Dec '14

Greetings, I have been searching webpages for guidance on using a smartcard ( also know as an HSM ) for storing passwords for an ldap database on a linux system. This would include for instance how would the userPassword (attrribute) be specified - i.e. how to specify the userPassword to read the PIN/SO- PIN/PUK{whatever} of the HSM/smart-card etc etc ?? Any guidance would be much appreciated. Yours sincerely luxInteg

4 16

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical December 2014