AW: OLC permissions - general beginner question
by Stefan Bauer
-----Ursprüngliche Nachricht-----
Von: Ferenc Wagner <wferi(a)niif.hu>
> You do not "logon", you use external authentication, which means there's
> no separate BIND step, like with simple bind (-x) for example. External
> authenication is not done by slapd (hence its name; it's done by the
> kernel in the above case), thus slapd can't fail it. The only LDAP
> operation it sees is a search, and the authenticated DN
> (gidNumber=X+uidNumber=Y,...) is not authorized for that, so the result
> is "No such object". As ACLs belong to target objects, they are not
> suitable for forcing server disconnection as soon as the authenticated
> DN is known. Maybe LDAP doesn't even allow such behaviour.
Hi,
thank you for clarification.
Stefan
5 years, 10 months
Next Release of LMDB
by Vishesh Handa
Hey guys
Is there some kind of rough timeline for when the next version of LMDB will
be released?
We're using it in KDE and we need the patch for robust mutexes, which is
currently in git. I'm not too comfortable in asking all the distributions
to have that patch, though opensuse already does that.
--
Vishesh Handa
5 years, 10 months
deleting pwdPolicySubentry attribute
by David Magda
Hello,
"pwdPolicySubentry" is an operational attribute per slapo-ppolicy(5). I
was able to add it quite easily, but I can't seem to delete it so an
account goes back to using the default policy:
$ ldapsearch -H ldap://master -W -D 'cn=admin,dc=example,dc=com' -b
'dc=example,dc=com' '(uid=dmagda)' +
Enter LDAP Password:
# dmagda, People, example.com
dn: uid=dmagda,ou=People,dc=example,dc=com
structuralObjectClass: inetOrgPerson
entryUUID: 1b0d0b6c-1115-1030-8396-1ba5239e5e7d
creatorsName: cn=admin,dc=example,dc=com
createTimestamp: 20110512185510Z
pwdPolicySubentry: cn=service,ou=pwpolicies,dc=example,dc=com
entryCSN: 20150602173051.854144Z#000000#000#000000
modifiersName: cn=admin,dc=example,dc=com
modifyTimestamp: 20150602173051Z
entryDN: uid=dmagda,ou=People,dc=example,dc=com
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE
$ cat del.ldif
dn: uid=dmagda,ou=People,dc=example,dc=com
changetype: modify
delete: pwdPolicySubentry
$ ldapsearch -H ldap://master -W -D 'cn=admin,dc=example,dc=com' -f del.ldif
Enter LDAP Password:
[...]
# search result
search: 2
result: 32 No such object
Given that I could add the attribute, was thought that it could be deleted
as well.
Thanks for any info.
Regards,
David
5 years, 10 months
Where to find attribute description for dn in core.schema
by Stefan Bauer
Dear Users,
I'm trying to understand the LDIF format and wonder in which schema file the attribute 'dn' is defined?
I can only find the long form distinguishedName in core.schema.
This is the example I'm using for research:
dn: dc=structure-net, dc=de
objectclass: organization
objectclass: top
o: Structure Net
l: Hamburg
postalcode: 21033
streetaddress: Billwiese 22
Any help is greatly appreciated.
Regards,
Stefan
5 years, 10 months
Re: read openldap log file
by Luo, Frank
Can anybody give me a hint about the lines with a "r" in the end? I see a
lot of them now.
Thanks!
Frank
Jun 1 09:40:27 slapd[4049]: daemon: epoll: listen=7 active_threads=0
tvp=zero
Jun 1 09:40:27 slapd[4049]: daemon: removing 62
Jun 1 09:40:27 slapd[4049]: daemon: activity on 125 descriptors
Jun 1 09:40:27 slapd[4049]: daemon: activity on:
Jun 1 09:40:27 slapd[4049]: 115r
Jun 1 09:40:27 slapd[4049]: conn=274354 fd=62 closed
Jun 1 09:40:27 slapd[4049]: 162r
Jun 1 09:40:27 slapd[4049]: 148r
Jun 1 09:40:27 slapd[4049]: 196r
Jun 1 09:40:27 slapd[4049]: 86r
Jun 1 09:40:27 slapd[4049]: 201r
Jun 1 09:40:27 slapd[4049]: 241r
Jun 1 09:40:27 slapd[4049]: 316r
Jun 1 09:40:27 slapd[4049]: 143r
Jun 1 09:40:27 slapd[4049]: 320r
On Mon, Jun 1, 2015 at 10:12 AM, Luo, Frank <luoy(a)miamioh.edu> wrote:
> Can anybody give me a hint about the lines with a "r" in the end? I see a
> lot of them now.
>
> Thanks!
>
> Frank
>
>
> Jun 1 09:40:27 slapd[4049]: daemon: epoll: listen=7 active_threads=0
> tvp=zero
> Jun 1 09:40:27 slapd[4049]: daemon: removing 62
> Jun 1 09:40:27 slapd[4049]: daemon: activity on 125 descriptors
> Jun 1 09:40:27 slapd[4049]: daemon: activity on:
> Jun 1 09:40:27 slapd[4049]: 115r
> Jun 1 09:40:27 slapd[4049]: conn=274354 fd=62 closed
> Jun 1 09:40:27 slapd[4049]: 162r
> Jun 1 09:40:27 slapd[4049]: 148r
> Jun 1 09:40:27 slapd[4049]: 196r
> Jun 1 09:40:27 slapd[4049]: 86r
> Jun 1 09:40:27 slapd[4049]: 201r
> Jun 1 09:40:27 slapd[4049]: 241r
> Jun 1 09:40:27 slapd[4049]: 316r
> Jun 1 09:40:27 slapd[4049]: 143r
> Jun 1 09:40:27 slapd[4049]: 320r
>
>
>
5 years, 10 months
slapadd 4096-character LDIF line length limitation
by Kartik Subbarao
I wanted to ask if someone could shed some light on the 4096 character
LDIF line length limitation, which seems to have been introduced
sometime after 2.4.25. I learned about this the hard way, while trying
to slapadd an LDIF file with long jpegPhoto attributes (e.g. 50K+) which
loaded just fine on 2.4.25. Now, I get this error:
ldif_parse_line: jpegPhoto: invalid base64 encoding char (556b9f15 <=
str2entry: str2ad(....) slapadd: could not parse entry (line=14)
When I need to preprocess LDIF files before loading them with slapadd, I
often remove line continuations in order to simplify pattern matching.
So of course from my perspective, it would be great to have the previous
behavior back again. But if there are compelling reasons for the current
behavior, I'd like to suggest that the code print a better error message
that explicitly mentions the line length limit.
Regards,
-Kartik
5 years, 10 months
nss_ldap: failed to bind to LDAP ser
by Gokan Atmaca
I installed OpenLDAP. "ldapsearch -x" comes with everything. However,
I get an error when I try to connect to the client as follows:
Ldapcliet: (/var/log/auth.log)
02:49:58 debian8 nscd: nss_ldap: reconnecting to LDAP server (sleeping
1 seconds)...
May 31 02:49:59 debian8 nscd: nss_ldap: could not connect to any LDAP
server as (null) - Can't contact LDAP server
May 31 02:49:59 debian8 nscd: nss_ldap: failed to bind to LDAP server
ldapi://ldap01.gokan.local: Can't contact LDAP server
May 31 02:49:59 debian8 nscd: nss_ldap: could not search LDAP server -
Server is unavailable
======================
Ldapserver;
# ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <dc=gokan,dc=local> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# gokan.local
dn: dc=gokan,dc=local
objectClass: top
objectClass: dcObject
objectClass: organization
o: gokan
dc: gokan
# admin, gokan.local
dn: cn=admin,dc=gokan,dc=local
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
# IT, gokan.local
dn: ou=IT,dc=gokan,dc=local
objectClass: organizationalUnit
objectClass: top
ou: IT
# Genel, IT, gokan.local
dn: cn=Genel,ou=IT,dc=gokan,dc=local
gidNumber: 500
cn: Genel
objectClass: posixGroup
objectClass: top
# Gokhan Atmaca, Genel, IT, gokan.local
dn: cn=Gokhan Atmaca,cn=Genel,ou=IT,dc=gokan,dc=local
cn: Gokhan Atmaca
givenName: Gokhan
gidNumber: 500
homeDirectory: /home/users/gokhana
sn: Atmaca
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1000
uid: gokhana
# search result
search: 2
result: 0 Success
# numResponses: 7
# numEntries: 6
======================
Listening to the socket.
tcp 0 0 0.0.0.0:389 0.0.0.0:*
LISTEN 4409/slapd
tcp6 0 0 :::389 :::*
LISTEN 4409/slapd
What could be the problem?
5 years, 10 months
LDAP schema issue
by Leander Schäfer
Hi
This is the current relevant part of my schema:
attributetype ( objectClassAccount:1.1
NAME 'mailAddress'
DESC 'The hosted mail addresses'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE )
1. How can I achieve, that upper case will always and only be stored as
lower case?
2. How do I achieve a validation check whether the value is actually a
valid email addres - very simple: user(a)domain.tld?
Thanks & Best regards
Leander
5 years, 10 months
Create Mailing List
by Jerry
Is it possible to create a "mailing list" in openldap? My MUA allows me to
create an alias like "MyGroup" that would then contain all the email addresses
of the people in the group. I can then simply type that alias and it is
replaced by the actual email addresses. I am looking for something like that
in openldap. I realize that I can associate multiple email addresses to a
single name; however, only one address can be chosen at a time.
--
Jerry
5 years, 10 months