common name
by Jignesh
I have confusion on on common name. In Open ldap it is a combination of first name and last name and other side it is unique. So it is forces us to use something else then
combination of first name and last name.
Now tools like php openldap, apache directory shows the LDPA user in left navigation by common name. So if we map common name to something else then we will have
problem to view the list in these tools.
Is it possible to change the setting for above tools so that they can reflect based on first name and last name instead of common name?
-Jignesh
9 years, 4 months
LMDB concurrent operation and MDB_NOSYNC
by Kristian Amlie
Hi,
Does using MDB_NOSYNC when opening the MDB environment in any way affect
LMDB's ability to do concurrent database access?
Regards
Kristian Amlie
CFEngine
9 years, 4 months
Multiple userPasswords entries & resetting one value
by Michael
I have a user with a SSHA userPassword value as well as a SASL userPassword entry. The SASL entry will never change but I'd like to be able to reset and age the SSHA entry only. Is this aging of only one value possible with ppolicy and is it possible to handle manual resets with ldappasswd and/or utilizing an LDIF file?
-Mike
9 years, 4 months
evaluation of set-clauses in <WHO>
by Michael Ströder
HI!
Still trying to optimize a bunch of set-based ACLs I wonder whether the
(possibly heavy-weight) set-clauses in the <WHO> part are evaluated only in
case of an actually matching <WHAT> part.
Any hint is appreciated.
Ciao, Michael.
9 years, 4 months
LDAP account status
by Julien Courtès
Hi,
I want to disable an account without deleting informations about it.
This account is linked with some services such as Owncloud, ftp
authentification, samba, linux auth and ssh auth.
Does it exists a way to disable the account for all the services?
I know that I can disable the account for samba with sambaAcctFlags but
I don't know an easy way for other services.
I thinked to create a new field called "AccountStatus" and filter on
each service accounts which have AccountStatus=active like that
/(&(objectClass=inetOrgPerson)(AccountStatus=active))
/Is it a good way to do it or no?
Thanks
Julien Courtès
9 years, 4 months
memberOf overlay issues
by Brendan Kearney
Fedora 20, slapd 2.4.39
i am trying to add the memberOf overlay onto a database. the module is
loading fine, but the instantiation of the overlay causes some errors.
it seems that an OID syntax is throwing things for a loop. below is the
output from "slaptest -d any". What could i be doing wrong?
53682a3b ldif_read_file: read entry file without checksum:
"/etc/openldap/slapd.d/cn=config/olcDatabase={2}mdb/olcOverlay={2}memberof.ldif"
53682a3b => str2entry: "dn: olcOverlay={2}memberof
objectClass: olcOverlayConfig
objectClass: olcMemberOfConfig
objectClass: top
olcOverlay: {2}memberof
structuralObjectClass: olcMemberOfConfig
entryUUID: 881fa376-67df-1033-8b16-e73c76eb0f15
creatorsName: cn=Manager,dc=my-domain,dc=com
createTimestamp: 20140504135544Z
entryCSN: 20140504135544.638618Z#000000#000#000000
modifiersName: cn=Manager,dc=my-domain,dc=com
modifyTimestamp: 20140504135544Z
"
53682a3b >>> dnPrettyNormal: <olcOverlay={2}memberof>
53682a3b <<< dnPrettyNormal: <olcOverlay={2}memberof>,
<olcOverlay={2}memberof>
53682a3b str2entry: invalid value for attributeType objectClass #1
(syntax 1.3.6.1.4.1.1466.115.121.1.38)
53682a3b send_ldap_result: conn=-1 op=0 p=0
53682a3b send_ldap_result: err=80 matched="" text="internal error
(cannot parse some entry file)"
slaptest: bad configuration file!
9 years, 4 months
Re: Phantom certificates?
by Andrew D. Arenson
On Wed, May 07, 2014 at 09:42:33AM +0200, Hallvard Breien Furuseth wrote:
> On 05/06/2014 05:26 PM, Andrew D. Arenson wrote:
> >(...) if I set
> >TLS_CACERTDIR to /etc/openldap/certs, which has the cert8.db file, but
> >as far as I can tell has no actuall certificates in that database, ldap
> >search tells me, surprisingly, that the server's certificate _IS_ verified.
> >
> > How is openldap verifying my server's certificate?
>
> Maybe this is a variant of ITS#5582: Setting TLS_CACERT to any
> certificate.pem file also tells OpenSSL to check the system's
> standard installed certs. OpenLDAP should have a separate
> option for that, or the opposite - an option not to do that.
Thanks. I didn't find an option for turning on/off the
use of a system's standard installed certs. Are you saying that you
think something like that _does_ exist, or that you simply think it
should?
I tried moving my certs directory out of the default location
of /etc/pki/tls, but was still unable able to generate a failure to
verify the certificate when TLS_CACERTDIR was set to
/etc/openldap/certs.
Andy
--
Andrew D. Arenson | aarenson (@) iu.edu
Advanced Biomedical IT Core, Research Technologies, UITS | W (317) 278-1208
RT is a PTI Cyberinfrastructure & Service Center | C (317) 679-4669
Indiana University Purdue University Indianapolis | F (317) 278-1852
9 years, 4 months
Re: LMDB integrity with MDB_NOSYNC on various filesystems
by Howard Chu
Dimitrios Apostolou wrote:
> Hello,
>
> I'm reading in LMDB docs that MDB_NOSYNC will not allow database
> corruption under certain conditions:
>
>> However, if the filesystem preserves write order and the MDB_WRITEMAP
>> flag is not used, transactions exhibit ACI (atomicity, consistency,
>> isolation) properties and only lose D (durability). I.e. database
>> integrity is maintained, but a system crash may undo the final
>> transactions
>
>
> Do we know if these conditions are valid for modern filesystems like ext3,
> ext4, XFS and how this is affected by various mount options (e.g. ordered,
> writeback etc)?
Read up on the specific filesystems you're interested in. These things change
too frequently for us to track, and it's your responsibility to know what
you're deploying.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
9 years, 4 months
deploying password policy module
by Paul B. Henson
We are planning to deploy the password policy module to satisfy our security
groups requirement for account lockouts (a.k.a., intentionally provided DoS
attack vectors <sigh>). I had a couple of questions regarding the deployment
I was hoping someone might be kind enough to answer.
Does the password policy module need to be loaded on all of the servers
simultaneously, even if there are no password policies defined? We typically
stage configuration changes, pulling servers out of the load balancer,
updating them, testing them, and then putting them back, such that at no
time is service unavailable. The password policy module extends the schema
though, and I don't want a server with it loaded potentially trying to
replicate unknown attributes to one without it loaded. It's not clear
whether simply loading the module would potentially cause this, or if
password policy attributes would only be replicated if the module was
actually configured with a default policy or if a user had a specifically
defined policy. So, would it be safe to stage the initial configuration
change loading the module as long as no policies are in place or used (until
all of the servers have been updated), or is it required to shut down all of
the servers simultaneously to make the change?
We are only planning to avail of account lockouts, not any of the other
functionality of the module. As such, unless I misunderstand, the following
policy should enable lockouts but not apply any of the other restrictions:
dn: cn=default,ou=policies,dc=example,dc=com
cn: default
objectClass: pwdPolicy
pwdAttribute: userPassword
pwdLockout: TRUE
pwdLockoutDuration: 1800
pwdMaxFailure: 100
pwdFailureCountInterval: 300
This would be the default policy. We also have some number of service
accounts which we would not want subject to lockouts, if I understand
correctly, configuring those accounts with an explicit password policy
pwdPolicySubentry like this:
dn: cn=serviceaccount,ou=policies,dc=example,dc=com
cn: default
objectClass: pwdPolicy
pwdAttribute: userPassword
Should leave them with no restrictions?
Finally, there is a requirement for the helpdesk to be able to manually
unlock a locked out account. For an account that is currently locked out,
would deleting the pwdAccountLockedTime and pwdFailureTime attributes reset
it to a normal state?
Thanks much.
9 years, 4 months
Replication for small-bandwidth, mobile systems
by jan@pki-labor.de
Hello all,
we're challenged with a PKI scenario with multiple CAs (Certification
Authorities) publishing into multiple directories. Each CA has its own
distinct namespace (=DIT) and the directories shall be Muli-Master
replicated. So far, I think this can be handled via syncrepl.
Now I'm looking for a possibility to replicate (push) certain
directory contents (e.g. revocation list updates from the CAs) to
mobile systems which are connected via low bandwidth media (some kBPS
like slow Modems, which also is already in use for other applications)
and the connections are not always available (e.g. client out of radio
reachability). As far as I understood several documents on syncrepl,
it is not really useful on low bandwidth connections. This push
service should therefore compress data or at least only transfer the
differences.
Is there a standardized protocol or other mechanism to accomplish that?
If not, is there a way to trigger something when updates are coming in
via replication? We would then think of using/building a special
transfer mechanism that does the job.
Thanks in advance for any hint!
Best regards,
Jan
9 years, 4 months
