openldap-technical July 2015

openldap-technical@openldap.org

40 participants
37 discussions

gidNumber uniqueness
by Ferenc Wagner 03 Jul '15

03 Jul '15

Hi, We use (among others) this unique domain in a database: olcUniqueURI: ldap:///?gidNumber?sub?objectClass=posixGroup so that we can't create two groups with the same gidNumber. The problem is that this rule also denies the creation of a posixAccount belonging to an already existing posixGroup. Of course there is no problem creating the account first and the group later. How could we overcome this ordering limitation? -- Thanks, Feri.

2 2

ACL filter and posix group
by Nicolas RENAULT 03 Jul '15

03 Jul '15

Hi, I search a lot but can't find solution so I post here : I have to allow a user to get informations from internal ldap for enterprise external software (cloud backup for laptop). only some accounts have to be retreive by this external user. I create a group (posixgroup) and add members to this one (memberUid) I create the posixAccount that will be used by external software to get informations on the member of the new group. (uid,userPassword,mail,givenName,sn) so I want to make an acl that limit access for the create account to read only informations of users from the created group. I already test overlay memberOf but it's not working with memberUid (not dn style) info openldap server 2.4.40+dfsg-1 on debian jessie simple ldap ou=Users,dc=exemple,dc=com <-- all my users uid=readers,ou=Users,dc=exemple,dc=com <-- the user i want to use to see only cn=externalgroupaccess ou=Groups,dc=exemple,dc=com <-- posixGroup with memberUid cn=arcaboxUser,ou=Groups,dc=exemple,dc=com <-- the group that users have to be visible. acl : access to dn.subtree="dc=Comptes,dc=com" attrs=entry,uid,userPassword,mail,givenName,sn filter=() by dn="uid=readers,ou=Users,dc=exemple,dc=com" read by * break access to dn.subtree="dc=Comptes,dc=com" by dn="readers,ou=Users,dc=exemple,dc=com" search by * break My problem is on the filter (I think) if I use this : filter=(uid=accountuid) the user "readers" can see the information from accountuid and not from others. but cn=arcaboxUser,ou=Groups,dc=exemple,dc=com wil have more than 200 accounts. Question : Someone have an idea to build a filter that containt all cn=arcaboxUser,ou=Groups,dc=exemple,dc=com memberUid value ? I see "set" but if I understand this : http://www.openldap.org/faq/data/cache/1133.html , set is only use in by statement of acl not in filter. Thank you Nicolas (sorry for bad english) I want to make an acl that limit access for a account to read only informations of users from one group

1 0

Problems with openLDAP + GSSAPI + JAVA
by Andreas Laesser 03 Jul '15

03 Jul '15

Hi @all I have a (maybe) a problem with my openldap server authenticating over a JAVA tool (Apache Directory Studio LDAP Browser V2.0.0.v20130628, jXplorer) via GSSAPI. When I do a ldapsearch from command line via GSSAPI it works fine... ~ % klist Ticket cache: FILE:/tmp/krb5cc_1086_lR4Nxxxxrs Default principal: admin(a)SPSC.TUGRAZ.AT Valid starting Expires Service principal 30/06/2015 10:54 02/07/2015 10:54 krbtgt/SPSC.TUGRAZ.AT(a)SPSC.TUGRAZ.AT renew until 10/07/2015 10:54 30/06/2015 10:54 02/07/2015 10:54 ldap/ldap1.spsc.tugraz.at(a)SPSC.TUGRAZ.AT renew until 10/07/2015 10:54 ~ % ldapsearch -H ldaps://ldap1.spsc.tugraz.at -b "dc=SPSC,dc=TUGRAZ,dc=AT" This works well.... but if I try the same from one of the two tools mentioned above it simply not bind or connects.... Does anybody had the same problems, or knows a solution? Thanks for help regards Andreas -- ========================================================================= _____________ / ___________/ Andreas Laesser / //_// /____/ Signal Proc.& Speech Communication Lab. __/ /___/ / __ Graz University of Technology /___//____//___/ Inffeldgasse 16c/EG | A-8010 Graz | Austria http://www.spsc.tugraz.at Tel: +43 (0)316 873 -4443 Fax: DW 104439 =========================================================================

4 4

luseradd 30 minutes after restore ldif backup.
by Fabián M Sales 02 Jul '15

02 Jul '15

I install a new server with LDAP: slapd 2.4.39 And database "MDB". After installation, I use luseradd and adds the user very quickly. But if I restored a backup file BKP.LDIF another server you are running with bdb. /etc/init.d/slapd stop rm -f / var / lib / ldap / * -v -l slapadd /root/BKP.LDIF slapindex -v ldap.ldap chown -R / var / lib / ldap / /etc/init.d/slapd start Luseradd command takes more than 30 minutes. I starting the slapd service with the option "-d 1" I see this: 55957574 mdb_search: 38848 does not match filter 55957574 => mdb_entry_decode: 55957574 <= mdb_entry_decode 55957574 mdb_search: 38854 does not match filter 55957574 => mdb_entry_decode: 55957574 <= mdb_entry_decode 55957574 mdb_search: 38860 does not match filter 55957574 => mdb_entry_decode: 55957574 <= mdb_entry_decode 55957574 mdb_search: 38868 does not match filter No it should be. I need to index any field indexed? /etc/openldap/slapd.conf in my file I have: objectclass index, entryCSN, entryUUID, eq cn Any help? -- Firma Institucional *Fabián* *M. Sales *Soporte Técnico & I.T.I Linux *DonWeb * La Actitud Es Todo www.DonWeb.com ------------------------------------------------------------------------ Nota de confidencialidad: Este mensaje y archivos adjuntos al mismo son confidenciales, de uso exclusivo para el destinatario del mismo. La divulgación y/o uso del mismo sin autorización por parte de DonWeb.com queda prohibida. DonWeb.com no se hace responsable del mensaje por la falsificación y/o alteración del mismo. De no ser Ud el destinatario del mismo y lo ha recibido por error, por favor, notifique al remitente y elim?elo de su sistema. Confidentiality Note: This message and any attachments (the message) are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited by DonWeb.com. DonWeb.com shall not be liable for the message if altered or falsified. If you are not the intended addressee of this message, please cancel it immediately and inform the sender Nota de Confidencialidade: Esta mensagem e seus eventuais anexos podem conter dados confidenciais ou privilegiados. Se você os recebeu por engano ou não é um dos destinatários aos quais ela foi endereçada, por favor destrua-a e a todos os seus eventuais anexos ou copias realizadas, imediatamente. É proibida a retenção, distribuição, divulgação ou utilização de quaisquer informações aqui contidas. Por favor, informenos sobre o recebimento indevido desta mensagem, retornando-a para o autor.

1 0

A new open-source TLS implementation
by Andrew Findlay 02 Jul '15

02 Jul '15

Amazon have just announced a completely new implementation of TLS. By avoiding all the history and ignoring features that they don't need the code has been cut by a factor of 10 when compared with the equivalent part of OpenSSL. OpenSSL or some other crypto library is still needed, but this is surely worth a look for future use with LDAP: http://blogs.aws.amazon.com/security/post/TxCKZM94ST1S6Y/Introducing-s2n-a-… https://github.com/awslabs/s2n/blob/master/README.md Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------

4 3

Search object exception
by jupiter 02 Jul '15

02 Jul '15

Hi, I have a django application which using Python LDAP API to search LDAP objects and throws object DoesNotExist exception. I thought the search function should catch the exception, but the owner of the software said, the try / except should not be used, if it throws an exception, it is LDAP configuration problem, must fix the LDAP configuration. Is it possible to configure LDAP not throwing exception for searching non-existing objects? Thank you. hce

2 1

Thread cursor sharing
by Kristoffer Sjögren 02 Jul '15

02 Jul '15

Hi Simple question, is thread cursor sharing allowed? Cheers, -Kristoffer

1 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical July 2015