On-disk-format of back-mdb depends on LDAP syntax?
by Michael Ströder
HI!
Does the on-disk-format of back-mdb depends on which LDAP syntax is used for an
attribute?
So if the LDAP syntax for an an existing attribute would change I have to
reimport the MDB?
Background:
I've changed (as a work-around for a broken client software) the LDAP syntax of
a custom attribute from Boolean to IA5String.
After that I could still read the attribute. But when deleting the attribute
slapd returned noSuchAttribute(16). I had to remove the whole entry.
BTW: No index configured this attribute.
Ciao, Michael.
9 years
Making sure this is a real issue before I submit it
by Mark Henning
Good Afternoon,
I am in the process of building an LDAP schema which has a number of
attributes which will be constrained to specific values. I have run into
an issue where slaptest will build the ldif file without syntax errors, but
when slapd starts up it can't find the X-ENUM syntax defined in the same
file.
# service slapd start
Checking configuration files for slapd: [FAILED]
olcAttributeTypes: value #0 olcAttributeTypes: Syntax not found:
"1.3.6.1.4.1.39235.2.3.500"
config error processing cn={5}test,cn=schema,cn=config: olcAttributeTypes:
Syntax not found: "1.3.6.1.4.1.39235.2.3.500"
slaptest: bad configuration file!
[root@DNEAA18S2 openldap]# slapd -V
@(#) $OpenLDAP: slapd 2.4.23 (Jan 28 2014 09:30:02) $
mockbuild(a)x86-022.build.eng.bos.redhat.com:
/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd
I have simplified the problem to a single syntax, attribute and object
class. The .schema file and resulting ldif are attached.
Is this a legitimate issue to report, or have I made some subtle syntax /
contextual error that is preventing the attribute from finding the syntax?
Cordially,
-Mark Henning
9 years
Use active directory to check password but keep all user data in LDAP
by Mattias Segerdahl
Hello,
I was wondering if it is possible to configure OpenLDAP 2.4 to only check the password validation with Active Directory and have the rest of the user attributes, such as mail, loginShell, homeDirectory, etc. come from OpenLDAP? Any pointers, guides, howto’s or even “let me google that for you” are highly appreciated.
Cheers
Mattias
9 years
Fwd: Re: ldapsearch utf-8 results
by Nicolas Cauchie
Le 26/05/2014 10:02, Matthias Apitz a écrit :
> El día Monday, May 26, 2014 a las 09:18:38AM +0200, Nicolas Cauchie escribió:
>
>> Hello there
>> I use a Debian 7.4 server with ldapsearch to search data about users
>> on an Active Directory database.
>> When a result of a search contains specials characters (such as é,
>> è, à), no result is given, but if I delete special characters to the
>> user profile, it works.
>> How could I make it work with special caracters (guess it's a UTF-8
>> problem ?) ?
>> Thanks in advance
>> Nicolas
> Hi Nicolas,
>
> Are you sure that no results are returned? Can you show the output of a
> ldapsearch cmd-line tool? I saw that in the result values are encoded if
> they contain non ASCII chars.
>
> matthias
Yes, I wrote it in a previous answer.
The result is base64 encoded if "-t" switch is not used, or sent to a
temp file if this switch is used. But in both cases, I can't use the
result "as is" without another manipulation, but i'm stuck..
Thanks
signature -----
9 years
New LDAP installation ?
by Michael Maymann
Hi List,
I'm new to setting up LDAP so please be nice... :)
I would like to achieve:
- SingleSignOn using AD username/password on my Linux servers (currently we
are running NIS)
- use strong encryption (very least no username/passwords in clear text)
- be able to keep current NIS uid/gid(s)
- use autofs on my linux servers
- For my purpose - would I need to populate/maintain a LDAP tree or would
other tools e.g. winbind be sufficient ?
- Does anyone have experience with puppet module torian-ldap that could
give an example of their manifest ?
Thanks in advance :) !
Br.
~maymann
9 years
Locale dependent collation for server side sorting
by Jonas Israelsson
Greetings.
We have some challenges regarding Server Side Sorting, where is does not
really sort the way we want it to. In UTF-8 the character Ä/ä (c3 85/c3
a4) comes before Å/å (c3 84/c3 a5) whereas in our (swedish) alphabetic
order it should be the other way around.
Server Side Sorting seem to blindly fall back on the sorting order of UTF-8
isrjo@svarde:~> ldapsearch -E 'sss=sn:caseIgnoreOrderingMatch' -x -H
ldaps://myserver:636 -D uid=myuser,ou=applications,o=myorg -w mypass -b
ou=people,o=myorg -s sub gn=sortme sn gn description
# extended LDIF
#
# LDAPv3
# base <ou=people,o=myorg> with scope subtree
# filter: gn=sortme
# requesting: sn gn description
# with server side sorting control
#
# angla, people, Myorg
dn:uid=angla,ou=people,o=Myorg
givenName: sortme
sn:: w4RuZ2x1bmQ=
description: SN BEGINNING WITH LATIN CAPITAL LETTER A WITH DIAERESIS
# 19f98ab4-7beb-4703-82ec-df970944ef30, people, Myorg
dn: cn=19f98ab4-7beb-4703-82ec-df970944ef30,ou=people,o=Myorg
sn:: w4VrZXNzb24=
givenName: sortme
description: SN BIGGING WITH LATIN CAPITAL LETTER A WITH RING ABOVE
# search result
search: 2
result: 0 Success
control: 1.2.840.113556.1.4.474 false MAMKAQA=
sortResult: (0) Success
# numResponses: 3
# numEntries: 2
I fail in openldap to find any matching rule or any other way such as
setting the locale before starting the slapd daemon that changes the
sorting order.
Does anyone know if it is possible to specify a locale dependent
collation for server side sorting?
Rgds Jonas
9 years
Fwd: Re: ldapsearch utf-8 results
by Nicolas Cauchie
Le 26/05/2014 09:51, Howard Chu a écrit :
> Nicolas wrote:
>>> Hello there
>>>
>>> I use a Debian 7.4 server with ldapsearch to search data about users
>>> on an
>>> Active Directory database.
>>>
>>> When a result of a search contains specials characters (such as é,
>>> è, à), no
>>> result is given, but if I delete special characters to the user
>>> profile, it
>>> works.
>>>
>>> How could I make it work with special caracters (guess it's a UTF-8
>>> problem ?) ?
>>>
>>> Thanks in advance
>>>
>>> Nicolas
>>> --
>>> signature -----
>>>
>>>
>>>
>> No one could help me ?
>
> Sounds like a question for Microsoft. The OpenLDAP ldapsearch command
> prints out whatever data it receives from the remote server. If the
> remote server isn't sending you what you expect, then get help from
> that server's support team.
>
Hello, (including others users reply)
I just found one thing (obviously, you know it, not me...):
- When a result containing specials caracters and when I use "-t"
switch, my result is sent to a file under /tmp folder : the result is
well-readable, with every accent everywhere they should be : it fits me.
- When a result containing specials caracters and when I don't use "-t"
switch, the result is base64 encoded.
So, I have 2 solutions :
- Read the /tmp/*.file and export the content to my scripts variable,
but I can't guess the name of this file : for example, there's the name
of a company's user search : "ldapsearch-company-_8K2vOo_"
- Decode the result wich was base64 encoded, but I can't guess if the
result will contain special caracter or not. And if i decode a string
wich doesn't contain special caracters, it crashes, telling me it's not
base64 content...
What must I do ?
Thanks a lot guys
Nicolas
9 years
posixgroups vs groupofnames
by Doug OLeary
Hey;
Here's the end goal: Have the ability to have posixgroup style support for
gid <-> group_name translation and the ability to use memberof style searches
without data duplication.
In short:
# ldapsearch -xLLL -s sub '(uid=doleary)' memberof
dn: uid=doleary,ou=users,dc=oci,dc=com
memberOf: cn=infra,ou=groups,dc=oci,dc=com
memberOf: cn=ldap-Administrators,ou=groups,dc=oci,dc=com
memberOf: cn=infosec,ou=groups,dc=oci,dc=com
memberOf: cn=dba,ou=groups,dc=oci,dc=com
and
# groups doleary
doleary : ldap-users ldap-Administrators infosec infra
Using a standard rfc2307 install, the only way I was able to get there was by
having duplicate groups, one posix and one groupofnames.
I've been playing around with rfc2307bis the last few days. While I'm able to
have one group, in order to support the desired functionality, I still have to
have two member types in that group - member and memberuid:
# ldap -search cn=infra
-----------------------------------------------------------------------
dn:cn=infra,ou=groups,dc=oci,dc=com
cn: infra
objectClass: top
groupOfNames
posixGroup
member: cn=admin,dc=oci,dc=com
uid=doleary,ou=users,dc=oci,dc=com
description: System Admins
gidNumber: 610
memberUid: doleary
Short version: is there a way to achieve this ability without duplicating
data?
Any info greatly appreciated. Thanks for your time.
Doug O'Leary
------------
Senior UNIX/Security Admin
CISSP, CISA, RHCE, CEH
O'Leary Computers Inc
dkoleary(a)olearycomputers.com (w) 630-904-6098 (c) 630-248-2749
linkedin: http://www.linkedin.com/in/dkoleary
resume: http://www.olearycomputers.com/resume.html
9 years
Recovering a multi-master node after a server failure
by Richard Marshall
Hi,
We have a multi master (2-node) cluster running 2.4.23 on CentOS 6. We're
effectively using them as a failover active-standby pair.
The 'Master' node failed last night and we failed over to the standby
(they're behind a load balancer). I am now trying to bring the old 'Master'
back online but it has become apparent there was a misconfiguration in the
server id config.
We did have 'Master' = serverid 1 and 'slave' = serverid 2 - i.e. it was
missing the servers URI. I have now fixed this, but we have around 500
objects on the old master reporting " changed by peer, ignored in the sync
log.
The old master will get up to the latest CSN number after I restart it, but
then get stuck with these " changed by peer, ignored" errors.
My question is, how do I get past this? Is it possible to remove the
objects and if so how (I don't want to delete them totally, just remove the
conflict).
Or, do I need to rebuild the 'old' master server database? If so, is the
process to stop slapd, remove the content of the database and accesslog
directories. Create an ldif export on the live server, slapadd that file
back on to the 'old' master, start it and then allow it to replicate any
new changes from it's partner?
If this is the only way to do it, is there anything I need to look out for?
If not this, then what do I do? I've looked but can't find any guidelines
in how to recover a failed node.
Any help appreciated!
Thanks,
Rich
9 years
