gidNumber uniqueness
by Ferenc Wagner
Hi,
We use (among others) this unique domain in a database:
olcUniqueURI: ldap:///?gidNumber?sub?objectClass=posixGroup
so that we can't create two groups with the same gidNumber. The problem
is that this rule also denies the creation of a posixAccount belonging
to an already existing posixGroup. Of course there is no problem
creating the account first and the group later. How could we overcome
this ordering limitation?
--
Thanks,
Feri.
5 years, 9 months
ACL filter and posix group
by Nicolas RENAULT
Hi,
I search a lot but can't find solution so I post here :
I have to allow a user to get informations from internal ldap for
enterprise external software (cloud backup for laptop). only some
accounts have to be retreive by this external user.
I create a group (posixgroup) and add members to this one (memberUid)
I create the posixAccount that will be used by external software to get
informations on the member of the new group.
(uid,userPassword,mail,givenName,sn)
so I want to make an acl that limit access for the create account to
read only informations of users from the created group.
I already test overlay memberOf but it's not working with memberUid (not
dn style)
info
openldap server 2.4.40+dfsg-1 on debian jessie
simple ldap
ou=Users,dc=exemple,dc=com <-- all my users
uid=readers,ou=Users,dc=exemple,dc=com <-- the user i want to use to
see only cn=externalgroupaccess
ou=Groups,dc=exemple,dc=com <-- posixGroup with memberUid
cn=arcaboxUser,ou=Groups,dc=exemple,dc=com <-- the group that
users have to be visible.
acl :
access to dn.subtree="dc=Comptes,dc=com"
attrs=entry,uid,userPassword,mail,givenName,sn filter=()
by dn="uid=readers,ou=Users,dc=exemple,dc=com" read
by * break
access to dn.subtree="dc=Comptes,dc=com"
by dn="readers,ou=Users,dc=exemple,dc=com" search
by * break
My problem is on the filter (I think) if I use this :
filter=(uid=accountuid)
the user "readers" can see the information from accountuid and not from
others.
but cn=arcaboxUser,ou=Groups,dc=exemple,dc=com wil have more than 200
accounts.
Question : Someone have an idea to build a filter that containt all
cn=arcaboxUser,ou=Groups,dc=exemple,dc=com memberUid value ?
I see "set" but if I understand this :
http://www.openldap.org/faq/data/cache/1133.html , set is only use in by
statement of acl not in filter.
Thank you
Nicolas
(sorry for bad english)
I want to make an acl that limit access for a account to read only
informations of users from one group
5 years, 9 months
Problems with openLDAP + GSSAPI + JAVA
by Andreas Laesser
Hi @all
I have a (maybe) a problem with my openldap server authenticating over a
JAVA tool (Apache Directory Studio LDAP Browser V2.0.0.v20130628,
jXplorer) via GSSAPI.
When I do a ldapsearch from command line via GSSAPI it works fine...
~ % klist
Ticket cache: FILE:/tmp/krb5cc_1086_lR4Nxxxxrs
Default principal: admin(a)SPSC.TUGRAZ.AT
Valid starting Expires Service principal
30/06/2015 10:54 02/07/2015 10:54 krbtgt/SPSC.TUGRAZ.AT(a)SPSC.TUGRAZ.AT
renew until 10/07/2015 10:54
30/06/2015 10:54 02/07/2015 10:54 ldap/ldap1.spsc.tugraz.at(a)SPSC.TUGRAZ.AT
renew until 10/07/2015 10:54
~ % ldapsearch -H ldaps://ldap1.spsc.tugraz.at -b "dc=SPSC,dc=TUGRAZ,dc=AT"
This works well....
but if I try the same from one of the two tools mentioned above it
simply not bind or connects....
Does anybody had the same problems, or knows a solution?
Thanks for help
regards Andreas
--
=========================================================================
_____________
/ ___________/ Andreas Laesser
/ //_// /____/ Signal Proc.& Speech Communication Lab.
__/ /___/ / __ Graz University of Technology
/___//____//___/ Inffeldgasse 16c/EG | A-8010 Graz | Austria
http://www.spsc.tugraz.at Tel: +43 (0)316 873 -4443 Fax: DW 104439
=========================================================================
5 years, 9 months
luseradd 30 minutes after restore ldif backup.
by Fabián M Sales
I install a new server with LDAP: slapd 2.4.39 And database "MDB".
After installation, I use luseradd and adds the user very quickly.
But if I restored a backup file BKP.LDIF another server you are running
with bdb.
/etc/init.d/slapd stop
rm -f / var / lib / ldap / *
-v -l slapadd /root/BKP.LDIF
slapindex -v
ldap.ldap chown -R / var / lib / ldap /
/etc/init.d/slapd start
Luseradd command takes more than 30 minutes.
I starting the slapd service with the option "-d 1" I see this:
55957574 mdb_search: 38848 does not match filter
55957574 => mdb_entry_decode:
55957574 <= mdb_entry_decode
55957574 mdb_search: 38854 does not match filter
55957574 => mdb_entry_decode:
55957574 <= mdb_entry_decode
55957574 mdb_search: 38860 does not match filter
55957574 => mdb_entry_decode:
55957574 <= mdb_entry_decode
55957574 mdb_search: 38868 does not match filter
No it should be.
I need to index any field indexed?
/etc/openldap/slapd.conf in my file I have:
objectclass index, entryCSN, entryUUID, eq cn
Any help?
--
Firma Institucional
*Fabián* *M. Sales
*Soporte Técnico & I.T.I Linux
*DonWeb *
La Actitud Es Todo
www.DonWeb.com
------------------------------------------------------------------------
Nota de confidencialidad: Este mensaje y archivos adjuntos al mismo son
confidenciales, de uso exclusivo para el destinatario del mismo. La
divulgación y/o uso del mismo sin autorización por parte de DonWeb.com
queda prohibida.
DonWeb.com no se hace responsable del mensaje por la falsificación y/o
alteración del mismo.
De no ser Ud el destinatario del mismo y lo ha recibido por error, por
favor, notifique al remitente y elim?elo de su sistema.
Confidentiality Note: This message and any attachments (the message) are
confidential and intended solely for the addressees. Any unauthorised
use or dissemination is prohibited by DonWeb.com.
DonWeb.com shall not be liable for the message if altered or falsified.
If you are not the intended addressee of this message, please cancel it
immediately and inform the sender
Nota de Confidencialidade: Esta mensagem e seus eventuais anexos podem
conter dados confidenciais ou privilegiados.
Se você os recebeu por engano ou não é um dos destinatários aos quais
ela foi endereçada, por favor destrua-a e a todos os seus eventuais
anexos ou copias realizadas, imediatamente.
É proibida a retenção, distribuição, divulgação ou utilização de
quaisquer informações aqui contidas.
Por favor, informenos sobre o recebimento indevido desta mensagem,
retornando-a para o autor.
5 years, 9 months
Search object exception
by jupiter
Hi,
I have a django application which using Python LDAP API to search LDAP
objects and throws object DoesNotExist exception. I thought the search
function should catch the exception, but the owner of the software said,
the try / except should not be used, if it throws an exception, it is LDAP
configuration problem, must fix the LDAP configuration.
Is it possible to configure LDAP not throwing exception for searching
non-existing objects?
Thank you.
hce
5 years, 9 months
Thread cursor sharing
by Kristoffer Sjögren
Hi
Simple question, is thread cursor sharing allowed?
Cheers,
-Kristoffer
5 years, 9 months
