openldap-technical March 2014

openldap-technical@openldap.org

89 participants
101 discussions

OpenLDAP back-end
by Андрей Андреев 15 Mar '14

15 Mar '14

Hi, everybody! I make some research about directory services and LDAP and can't understand(find) which method(hash,b+tree, etc.) used to search in BDB. Can you help me? -- Best regards, thexf.

1 0

Features been supported by LDAP
by saurabh ohri 14 Mar '14

14 Mar '14

Hi All, First of all thanks to everyone for all your support during the installation of openldap and its authentication, although would be requiring some more going further. Was wondering if you guys can help me with you feedback on the below features if openldap support of not? S.No Requirements 1 Authentication 2 Authorization(Admin/root or non admin/root) 3 Password policy push Changing password after first login(new User) Auto account lock/unlock in case of 3 invalid attempt Complexity(aplhanumeric, 8 chars, upper case/lowecase) Expiry and expiry warning Grace Logins 4 Forceful auto loading of application at startup 5 Auto Antivirus updates 6 logging access and tracebility 7 Rules based logins 8 High Availability 9 Pushing security policies in form of patches updates or fixes 10 Configuring auto schedulers(scans) 11 Group policies 12 Auto backups or auto-mapping of shared drives 13 Server management in terms of license etc 14 Supports SSL communication 15 Support for SSO 16 Running scripts on client 17 Supporting all above features on Windows/Mac/ubuntu/Linux clients Thanks again. Regards Sam

3 3

slapd-meta and idassert-bind
by Ana Fernandez 14 Mar '14

14 Mar '14

Hello, I've three servers with three different LDAP suffixes: ou=users, ou=ldap1 and ou=ldap2. Servers with ou=ldap1 and ou=ldap2 also have a replica of the ou=users suffix LDAP0 : ou=users,dc=test,dc=com LDAP1 : ou=ldap1,dc=test,dc=com and ou=users,dc=test,dc=com LDAP2 : ou=ldap2,dc=test,dc=com and ou=users,dc=test,dc=com Each application client, depending on which suffix needs to be accessed, connects to an instance or another. I want to unify access using ldap proxy. It seems that slapd-meta fits my requirements. I've configured this targets: # LDAP0 suffix "ou=users,dc=test,dc=com" uri "ldap://host1:389/ou=users,dc=test,dc=com" # LDAP1 suffix "ou=ldap1,dc=test,dc=com" uri "ldap://host2:389/ou=ldap1,dc=test,dc=com" # LDAP2 suffix "ou=ldap2,dc=test,dc=com" uri "ldap://host3:389/ou=ldap2,dc=test,dc=com" If the client binds the proxy with cn=user1,ou=users,dc=test,dc=com, it's authenticated successfully against ldap0 and can access to ou=users,dc=test,dc=com, but if tries to access ou=ldap1,dc=test,dc=com or ou=ldap2,dc=test,dc=com it binds anonymously to the targets and can not access anything. I've tried idassert-bind and works perfectly, but I was wondering if I can avoid the use of a "pseudo-root identity" who had privileges to assert the client's identity. As LDAP1 and LDAP2 have the ou=users suffix could authenticate the credentials of the users who bounds the proxy. I don't know if it's possible with slapd-meta, but the idea is that client's user/password will be send directly to targets for binding so there's no need of id assertion. The proxy simply passthrough the user/password to the targets. Is this possible or I have to use idassert-bind? Thanks

1 0

Regarding LDAP structure
by Joshua Riffle 14 Mar '14

14 Mar '14

I'm aware this may not be the best mailing list to discuss something as generalized as best practices for LDAP structuring within OpenLDAP, but would anyone be able to direct me to a mailing list that would be better suited for this kind of conversation? I'm looking for any or all of these kinds of communications within a mailing list: - Designing a person, account, group LDAP tree directory that would be scalable and flexible enough to grow to large sizes (millions) and still have a grip on best practices for identity management on an enterprise level. - Specifically for an educational institution if I can share the aches and pains of other directory owners with similar problems. - I also am trying to prove / disprove the use of having a person directory object with multiple child account objects as good or bad architecture and understand why. I've never seen this discussed in practice. - Good and bad ways to relate tree objects with each other. I only know of parent / child tree relationships or more "softly" by using DN's within an attribute like the group-member relationship. Joshua Riffle Software Engineer *Azusa Pacific University*

5 10

Planning migration to mdb
by Nick Milas 14 Mar '14

14 Mar '14

Hi, We have a running openldap installation (2.4.39) - a single master - with cn=config and hdb backend. So, config has the branches: I know we must slapcat our data and slapadd it in mdb afterwards. The question is: what changes should be done in the config DIT (and how) so that the config changes from hdb backend to mdb backend? Is it enough to slapcat config, then change: olcDatabase from {1}hdb to {1}mdb and: objectClass from olcHdbConfig to olcMdbConfig ...? Anything else? Can we safely delete all values of the olcDbConfig attribute which originate from converting from "DB_CONFIG"? What attributes can we safely remove? Thanks, Nick

3 3

What does COSINE stand for?
by Peng Yu 14 Mar '14

14 Mar '14

Hi, COSINE is mentioned in the following document. But it doesn't say what it stands for. Does anybody know what it stands for? Thanks. http://www.ietf.org/rfc/rfc1274.txt -- Regards, Peng

7 6

Where is "uid" defined in schema?
by Peng Yu 14 Mar '14

14 Mar '14

Hi, I'm not able to find where "uid" is defined. Could any expert point me where it is defined? Thanks. pengy@lithium:/etc/ldap/schema$ grep '\<uid\>' * core.ldif:# RFC 1274 (uid/dc) core.ldif:# NAME ( 'uid' 'userid' ) core.ldif: DESC 'RFC2377: uid object' core.ldif: SUP top AUXILIARY MUST uid ) core.schema:# RFC 1274 (uid/dc) core.schema:# NAME ( 'uid' 'userid' ) core.schema: DESC 'RFC2377: uid object' core.schema: SUP top AUXILIARY MUST uid ) cosine.schema:##attributetype ( 0.9.2342.19200300.100.1.1 NAME ( 'uid' 'userid' ) inetorgperson.ldif: $ roomNumber $ secretary $ uid $ userCertificate $ x500uniqueIdentifier $ pre inetorgperson.schema: photo $ roomNumber $ secretary $ uid $ userCertificate $ nis.ldif: f an account with POSIX attributes' SUP top AUXILIARY MUST ( cn $ uid $ uidNu nis.ldif: ttributes for shadow passwords' SUP top AUXILIARY MUST uid MAY ( userPassword nis.schema: MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) nis.schema: MUST uid openldap.ldif: MUST ( uid $ cn ) openldap.schema: MUST ( uid $ cn ) -- Regards, Peng

6 5

Cannot resolve group example to gid : not found (ldapadduser error)
by Peng Yu 13 Mar '14

13 Mar '14

Hi, https://help.ubuntu.com/13.10/serverguide/openldap-server.html#openldap-ser… I'm following the instructions on the following webpage, with the following sections skipped. - Modifying the slapd Configuration Database - Logging - Replication - Access Control - TLS - Replication and TLS Then I get the following errors when I try the following commands. I'm know that I might make simple mistakes but I have no clue how to figure it out. Could you help me on how to make the command work? Thanks. pengy@lithium:/etc/ldap/schema$ sudo ldapadduser george example Cannot resolve group example to gid : not found -- Regards, Peng

1 0

Basic Openldap Question
by Borresen, John - 0442 - MITLL 13 Mar '14

13 Mar '14

All, A question has popped up here about the "olcDatabase={-1}frontend" under cn=config. Besides replying that it is always there, I'm not really sure what it does or what its purpose is.in addition to what it states in the Admin Guide: ".is a special database that is used to hold database-level options that should be applied to all databases. Subsequent database definitions may also override some frontend settings." That's my question: What is the olcDatabase={-1}frontend dbase and what is its purpose? Thanks in advance, John D. Borresen (Dave) Linux/Unix Systems Administrator MIT Lincoln Laboratory Surveillance Systems Group 244 Wood St Lexington, MA 02420 Email: john.borresen(a)ll.mit.edu

2 1

TLS with multiple LDAP servers
by Julien Courtès 13 Mar '14

13 Mar '14

Hi, I have two LDAP servers in master-slave ldap1.domain.com - master ldap2.domain.com - slave These servers got different ip addresses and are hosted on different servers But I want to enable TLS connection with clients. So can I create a unique certificate that I put on both servers and the client will use one unique certificate to connect to server "ldap1" or "ldap2" if the first one is down. If not, how should I do? I did a search and I found that I can use subjectAltNames or wildcard certificat. Thanks Julien Courtès

5 5

← Newer
1
2
3
4
5
6
7
8
9
10
11
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2014