openldap-technical June 2015

openldap-technical@openldap.org

50 participants
49 discussions

AW: OLC permissions - general beginner question
by Stefan Bauer 03 Jun '15

03 Jun '15

-----Ursprüngliche Nachricht----- Von: Ferenc Wagner <wferi(a)niif.hu> > You do not "logon", you use external authentication, which means there's > no separate BIND step, like with simple bind (-x) for example. External > authenication is not done by slapd (hence its name; it's done by the > kernel in the above case), thus slapd can't fail it. The only LDAP > operation it sees is a search, and the authenticated DN > (gidNumber=X+uidNumber=Y,...) is not authorized for that, so the result > is "No such object". As ACLs belong to target objects, they are not > suitable for forcing server disconnection as soon as the authenticated > DN is known. Maybe LDAP doesn't even allow such behaviour. Hi, thank you for clarification. Stefan

1 0

Next Release of LMDB
by Vishesh Handa 03 Jun '15

03 Jun '15

Hey guys Is there some kind of rough timeline for when the next version of LMDB will be released? We're using it in KDE and we need the patch for robust mutexes, which is currently in git. I'm not too comfortable in asking all the distributions to have that patch, though opensuse already does that. -- Vishesh Handa

2 2

deleting pwdPolicySubentry attribute
by David Magda 03 Jun '15

03 Jun '15

Hello, "pwdPolicySubentry" is an operational attribute per slapo-ppolicy(5). I was able to add it quite easily, but I can't seem to delete it so an account goes back to using the default policy: $ ldapsearch -H ldap://master -W -D 'cn=admin,dc=example,dc=com' -b 'dc=example,dc=com' '(uid=dmagda)' + Enter LDAP Password: # dmagda, People, example.com dn: uid=dmagda,ou=People,dc=example,dc=com structuralObjectClass: inetOrgPerson entryUUID: 1b0d0b6c-1115-1030-8396-1ba5239e5e7d creatorsName: cn=admin,dc=example,dc=com createTimestamp: 20110512185510Z pwdPolicySubentry: cn=service,ou=pwpolicies,dc=example,dc=com entryCSN: 20150602173051.854144Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=com modifyTimestamp: 20150602173051Z entryDN: uid=dmagda,ou=People,dc=example,dc=com subschemaSubentry: cn=Subschema hasSubordinates: FALSE $ cat del.ldif dn: uid=dmagda,ou=People,dc=example,dc=com changetype: modify delete: pwdPolicySubentry $ ldapsearch -H ldap://master -W -D 'cn=admin,dc=example,dc=com' -f del.ldif Enter LDAP Password: [...] # search result search: 2 result: 32 No such object Given that I could add the attribute, was thought that it could be deleted as well. Thanks for any info. Regards, David

2 2

Where to find attribute description for dn in core.schema
by Stefan Bauer 02 Jun '15

02 Jun '15

Dear Users, I'm trying to understand the LDIF format and wonder in which schema file the attribute 'dn' is defined? I can only find the long form distinguishedName in core.schema. This is the example I'm using for research: dn: dc=structure-net, dc=de objectclass: organization objectclass: top o: Structure Net l: Hamburg postalcode: 21033 streetaddress: Billwiese 22 Any help is greatly appreciated. Regards, Stefan

3 3

Re: read openldap log file
by Luo, Frank 02 Jun '15

02 Jun '15

Can anybody give me a hint about the lines with a "r" in the end? I see a lot of them now. Thanks! Frank Jun 1 09:40:27 slapd[4049]: daemon: epoll: listen=7 active_threads=0 tvp=zero Jun 1 09:40:27 slapd[4049]: daemon: removing 62 Jun 1 09:40:27 slapd[4049]: daemon: activity on 125 descriptors Jun 1 09:40:27 slapd[4049]: daemon: activity on: Jun 1 09:40:27 slapd[4049]: 115r Jun 1 09:40:27 slapd[4049]: conn=274354 fd=62 closed Jun 1 09:40:27 slapd[4049]: 162r Jun 1 09:40:27 slapd[4049]: 148r Jun 1 09:40:27 slapd[4049]: 196r Jun 1 09:40:27 slapd[4049]: 86r Jun 1 09:40:27 slapd[4049]: 201r Jun 1 09:40:27 slapd[4049]: 241r Jun 1 09:40:27 slapd[4049]: 316r Jun 1 09:40:27 slapd[4049]: 143r Jun 1 09:40:27 slapd[4049]: 320r On Mon, Jun 1, 2015 at 10:12 AM, Luo, Frank <luoy(a)miamioh.edu> wrote: > Can anybody give me a hint about the lines with a "r" in the end? I see a > lot of them now. > > Thanks! > > Frank > > > Jun 1 09:40:27 slapd[4049]: daemon: epoll: listen=7 active_threads=0 > tvp=zero > Jun 1 09:40:27 slapd[4049]: daemon: removing 62 > Jun 1 09:40:27 slapd[4049]: daemon: activity on 125 descriptors > Jun 1 09:40:27 slapd[4049]: daemon: activity on: > Jun 1 09:40:27 slapd[4049]: 115r > Jun 1 09:40:27 slapd[4049]: conn=274354 fd=62 closed > Jun 1 09:40:27 slapd[4049]: 162r > Jun 1 09:40:27 slapd[4049]: 148r > Jun 1 09:40:27 slapd[4049]: 196r > Jun 1 09:40:27 slapd[4049]: 86r > Jun 1 09:40:27 slapd[4049]: 201r > Jun 1 09:40:27 slapd[4049]: 241r > Jun 1 09:40:27 slapd[4049]: 316r > Jun 1 09:40:27 slapd[4049]: 143r > Jun 1 09:40:27 slapd[4049]: 320r > > >

2 1

slapadd 4096-character LDIF line length limitation
by Kartik Subbarao 01 Jun '15

01 Jun '15

I wanted to ask if someone could shed some light on the 4096 character LDIF line length limitation, which seems to have been introduced sometime after 2.4.25. I learned about this the hard way, while trying to slapadd an LDIF file with long jpegPhoto attributes (e.g. 50K+) which loaded just fine on 2.4.25. Now, I get this error: ldif_parse_line: jpegPhoto: invalid base64 encoding char (556b9f15 <= str2entry: str2ad(....) slapadd: could not parse entry (line=14) When I need to preprocess LDIF files before loading them with slapadd, I often remove line continuations in order to simplify pattern matching. So of course from my perspective, it would be great to have the previous behavior back again. But if there are compelling reasons for the current behavior, I'd like to suggest that the code print a better error message that explicitly mentions the line length limit. Regards, -Kartik

2 2

nss_ldap: failed to bind to LDAP ser
by Gokan Atmaca 01 Jun '15

01 Jun '15

I installed OpenLDAP. "ldapsearch -x" comes with everything. However, I get an error when I try to connect to the client as follows: Ldapcliet: (/var/log/auth.log) 02:49:58 debian8 nscd: nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)... May 31 02:49:59 debian8 nscd: nss_ldap: could not connect to any LDAP server as (null) - Can't contact LDAP server May 31 02:49:59 debian8 nscd: nss_ldap: failed to bind to LDAP server ldapi://ldap01.gokan.local: Can't contact LDAP server May 31 02:49:59 debian8 nscd: nss_ldap: could not search LDAP server - Server is unavailable ====================== Ldapserver; # ldapsearch -x # extended LDIF # # LDAPv3 # base <dc=gokan,dc=local> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # gokan.local dn: dc=gokan,dc=local objectClass: top objectClass: dcObject objectClass: organization o: gokan dc: gokan # admin, gokan.local dn: cn=admin,dc=gokan,dc=local objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator # IT, gokan.local dn: ou=IT,dc=gokan,dc=local objectClass: organizationalUnit objectClass: top ou: IT # Genel, IT, gokan.local dn: cn=Genel,ou=IT,dc=gokan,dc=local gidNumber: 500 cn: Genel objectClass: posixGroup objectClass: top # Gokhan Atmaca, Genel, IT, gokan.local dn: cn=Gokhan Atmaca,cn=Genel,ou=IT,dc=gokan,dc=local cn: Gokhan Atmaca givenName: Gokhan gidNumber: 500 homeDirectory: /home/users/gokhana sn: Atmaca loginShell: /bin/sh objectClass: inetOrgPerson objectClass: posixAccount objectClass: top uidNumber: 1000 uid: gokhana # search result search: 2 result: 0 Success # numResponses: 7 # numEntries: 6 ====================== Listening to the socket. tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 4409/slapd tcp6 0 0 :::389 :::* LISTEN 4409/slapd What could be the problem?

2 1

LDAP schema issue
by Leander Schäfer 01 Jun '15

01 Jun '15

Hi This is the current relevant part of my schema: attributetype ( objectClassAccount:1.1 NAME 'mailAddress' DESC 'The hosted mail addresses' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE ) 1. How can I achieve, that upper case will always and only be stored as lower case? 2. How do I achieve a validation check whether the value is actually a valid email addres - very simple: user(a)domain.tld? Thanks & Best regards Leander

3 2

Create Mailing List
by Jerry 01 Jun '15

01 Jun '15

Is it possible to create a "mailing list" in openldap? My MUA allows me to create an alias like "MyGroup" that would then contain all the email addresses of the people in the group. I can then simply type that alias and it is replaced by the actual email addresses. I am looking for something like that in openldap. I realize that I can associate multiple email addresses to a single name; however, only one address can be chosen at a time. -- Jerry

4 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical June 2015