October 2016 - openldap-technical

Re: Provider-Consumer replication 2.4 OLC (second attempt)

by Ted Hyde

6 years, 5 months

1
0
0 / 0

some memberUid in my database are hashed

by Giovanni Biscuolo

Hi, I've an openldap database I use for auth purposes in which some memberUid is hashed while other not, e.g.: (results given by sudo ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b ou=Groups,dc=unit,dc=company,dc=net) .......................... dn: cn=GROUP,ou=Groups,dc=unit,dc=company,dc=net objectClass: top objectClass: posixGroup cn: GROUP gidNumber: 1026 memberUid: firstuser memberUid:: IGFyaWFubmE= [...] ........................... I cannot find any documentation about this kind of "memberUid hashed storage", the only differece is the double colon after memberUid please can you point me to the documentation or tell me how to "decode" the memberUid information also, on a client machine configured to use libnss-ldapd, if I list the groups with "sudo getent group" I can see the "clear text" members (e.g. firstuser in the example above) but not the "hashed" one; the same using the "members" command ciao Giovanni -- Giovanni Biscuolo Xelera - IT infrastructures http://xelera.eu/contact-us/

6 years, 5 months

4
5
0 / 0

Changing server FQDN and certificate

by COMBES Julien - SG/SPSSI/CPII/DOSE/ET/PNE ANNUAIRE ET MESSAGERIE

Hello, Due to a decision of our IT Departement, I have to change the domain name of ours openldap servers and by extention all of their certificates. We have two ldap providers in mirror mode and fourteen ldap consumers. Those servers have ACL based (in part) on IP address to force TLS/SSL for some usages and they're accessed by a lots of ldap clients. I'm looking for a way to make a transition without duplicating all ldap servers during the time we change the fqdn and CA certificate on each client. This transition is quite easy with Apache and virtual host. AFAIK, openldap doesn't provide a Virtual Host system so I have to find an other way. I have tried a solution with stunnel which listens on an other IP address with a new certificate. But, as the connection from the stunnel to the ldap server comes from localhost and not from the original client, this is not working correctly with the ldaps's ACLs. Is someone have do this before or someone has an idea to do it ? Regards, Julien COMBES

6 years, 5 months

2
1
0 / 0

Re: some memberUid in my database are hashed

by Giovanni Biscuolo

Hi Ulrich, * Ulrich Windl [2016-10-27 09:09:44 +0200]: [...] > > to be a little more clear: "getent group" does not show the base64 encoded > > users (aka listed as "memberUid:: ..." in LDIF) > > Which command did you use? "getent group" as I said :-) > Here (SLES11 SP4) a "getent passwd | grep 'the > entry you are looking for'" gives a corresponding result. me too, but I have issues "just" with memberUid attributes in my groups, not with usernames in general [...] > BTW: Decoding your "IGFyaWFubmE=" gives " arianna". A leading space in the > user name is _very_ experimental! OK let's assume it's _very_ experimental, anyway I just notice that: > > on the other side, "groups <user>" correctly lists all the groups the user > > is member of, despite the base64 encoding of its memberUid attribute so I don't really know why "groups" correctly lists LDAP groups in which user is listed as memberUid (base64 encoded with leading spaces), while "getent passwd" stops processing usernames at first base64 encountered name all I know is that standard unix file permissions and nfsv4 ACLs are working fine with this uncommon memberUid base64 encoded attributes for sure I'd avoid using base64 encoded memberUid attributes, but it happened somehow (still investigating) and it seems that having leading (or trailing?) spaces in that attribute (causing it to be base64 encoded) does not cause any problem to libnss-ldapd (pretty stadard configured) ...so, being very lazy, I'm investigating the possibility to leave the attributes alone and write a simple ldapsearch wrap script for my users to list all available groups and their members best regards Giovanni -- Giovanni Biscuolo Xelera - IT infrastructures http://xelera.eu/contact-us/ **per favore** Quota Bene: http://wiki.news.nic.it/QuotarBene **please** use Inline Reply: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

6 years, 5 months

2
1
0 / 0

Re: Provider-Consumer replication 2.4 OLC (second attempt)

by Quanah Gibson-Mount

--On Tuesday, October 25, 2016 11:34 AM -0400 Ted Hyde <laserted(a)gmail.com> wrote: > Greets - (first post, second time. Don't know if it's being moderated or > dropped, will keep trying). It ended up in my spam folder for some reason. > After installation, I have two functioning standalone servers. During my > research, I found two conflicting pieces of information. I prefer to > perform "refreshOnly" instead of "refreshAndPersist", so some sources say > ONLY the consumers need configuration, a couple said both sides need > configuration AND a number of additional indices. This is likely where my > problems arise. I strongly advise only using refreshAndPersist. I'm not sure why you are referring to random how-not-to-do things on the interweb. You should use the OpenLDAP admin guide: <http://www.openldap.org/doc/admin24/replication.html> > Any thoughts? Read the admin guide, as noted above. The examples are still slapd.conf, but you can trivially translate those to what are necessary for cn=config. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

6 years, 5 months

1
0
0 / 0

Re: Account computer

by Kwame Bahena

LOL. Don't get upset. You didn't mention at first that you are using samba with OpenLDAP. Take a look at this link http://lmgtfy.com/?q=disable+inactive+accounts+Samba+with+OpenLDAP On Thu, Oct 27, 2016 at 12:33 PM, Itamar S. <immaggoo(a)gmail.com> wrote: > > 2016-10-27 15:32 GMT-02:00 Itamar S. <immaggoo(a)gmail.com>: > >> Fk you. >> >> If I had a CD would have done. I'm using Samba with OpenLDAP. >> > > Fk you. > > If I had a AD would have done. I'm using Samba with OpenLDAP. >

6 years, 5 months

1
0
0 / 0

Account computer

by Itamar S.

Hello, How can I disable accounts computer that have been inactive for 180 days?

6 years, 5 months

3
2
0 / 0

Proxy cache not work with <attribute not in schema>

by JWD

slapd 2.4.40 Windows AD as proxy backend. I found any query match <pcacheTemplate>+<pcacheAttrset>+<attribute not in schema> will answer <pcacheAttrset> value only, <attribute not in schema> will be ignored. This is not what I expected, I need <attribute not in schema> too. But query anything else that not in cache, <attribute not in schema> will be cached. Log message like this: 580ec506 PROXIED attributeDescription "PRIMARYGROUPID" inserted. And after that, query match <pcacheTemplate>+<pcacheAttrset>+<attribute not in schema> will answer <attribute not in schema> too. This is what I expected. Do I have to add schema for <attribute not in schema>? Is there any other way to make <attribute not in schema> CACHEABLE? -------------- JWD

6 years, 5 months

2
2
0 / 0

Re: delta-synrepl consumer randomly delete objects

by Quanah Gibson-Mount

--On Thursday, October 20, 2016 10:19 AM +0200 Raffael Sahli <public(a)raffaelsahli.com> wrote: > Hi > > What can lead a consumer to "randomly" delete ~50% of all objects in his > database? I have this problem now for ~1-2months and on 3 different > master/slave groups. > > The consumer starts to delete objects (but those are all present on the > master): > > Oct 19 17:16:22 ldap-slave002.xxx slapd[8554]: do_syncrep2: rid=999 > LDAP_RES_INTERMEDIATE - SYNC_ID_SET Oct 19 17:16:22 ldap-slave002.xxx This is not delta-syncrepl, this is syncrepl. What triggered your system to fall back to syncrepl? --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

6 years, 5 months

2
1
0 / 0

openldap access control order behavior

by vvv jjj

Hi OpenLDAP team, I'm new to OpenLDAP and trying to learn the configuration from the openldap provided document. Please let me know if I'm posting my question in a wrong form. The question may be trivial but I was looking for the behavior which I'm not clear. My question is, does the access control order effect the behavior. That is, Is there any change in behavior for the below 2 access control commands. 1. access to * by users read by anonymous read access to dn.base=ACL by users read 2. access to dn.base=ACL by users read access to * by users read by anonymous read Please let me know your comments. Let me know if anything is not clear. Thanks for support. Regards J.Visu

6 years, 5 months

2
4
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical October 2016