openldap-technical October 2016

openldap-technical@openldap.org

44 participants
57 discussions

openldap access control order behavior
by vvv jjj 25 Oct '16

25 Oct '16

Hi OpenLDAP team, I'm new to OpenLDAP and trying to learn the configuration from the openldap provided document. Please let me know if I'm posting my question in a wrong form. The question may be trivial but I was looking for the behavior which I'm not clear. My question is, does the access control order effect the behavior. That is, Is there any change in behavior for the below 2 access control commands. 1. access to * by users read by anonymous read access to dn.base=ACL by users read 2. access to dn.base=ACL by users read access to * by users read by anonymous read Please let me know your comments. Let me know if anything is not clear. Thanks for support. Regards J.Visu

2 4

Re: ditContentRule + cn=config
by Quanah Gibson-Mount 25 Oct '16

25 Oct '16

--On Tuesday, October 25, 2016 6:28 PM +0200 Dieter Klünter <dieter(a)dkluenter.de> wrote: > Hi, > it seems that slapd, starting with -F, is not able to read schema > information, prior to cn=config, > ./slapd -h "ldap://:9007/ ldapi:///" -F ../etc/openldap/slapd.d -d256 > 580f76bd config error processing cn=config: olcDitContentRules: > ObjectClass not found: "2.16.840.1.113730.3.2.2" 580f76bd slapd stopped. > > but with -f schema information is read > prior to global and database specific configuration. > ./slapd -h "ldap://:9007/ ldapi:///" -f ../etc/openldap/slapd.conf -d256 > 580f76e4 slapd starting > > Has this been fixed already? although I couldn't find a report in ITS. I doubt it has been fixed. I suggest filing an ITS with configuration(s) that reproduce the issue. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: openldap 2.4.40 ppolicy module and shadowInactive equivalent
by Quanah Gibson-Mount 25 Oct '16

25 Oct '16

Hi Elizabeth, You would likely need to compile it yourself, as I'm not aware of any distributions that ship NSSOV (although some may). There is more information on it here: <http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=contrib/sl…> Hope that helps! Regards, Quanah --On Tuesday, October 25, 2016 5:09 PM +0000 "Real, Elizabeth (392K)" <Elizabeth.Real(a)jpl.nasa.gov> wrote: > > > Quanah, > > > > I found little information on this contrib nssov overlay: > http://www.openldap.org/doc/admin24/guide.html#nssov > > > > How do you implement it? Is it similar to adding the ppolicy overlay? > > > > > Thank you, > > Liz > > > > From: Quanah Gibson-Mount <quanah(a)symas.com> > Reply-To: Quanah Gibson-Mount <quanah(a)symas.com> > Date: Monday, October 24, 2016 at 6:29 PM > To: "Real, Elizabeth (392K)" <Elizabeth.Real(a)jpl.nasa.gov>, > "openldap-technical(a)openldap.org" <openldap-technical(a)openldap.org> > Subject: Re: openldap 2.4.40 ppolicy module and shadowInactive equivalent > > > > > --On Monday, October 24, 2016 7:43 PM +0000 "Real, Elizabeth (392K)" > > <Elizabeth.Real(a)jpl.nasa.gov> wrote: > > > > > > I setup a password policy overlay on my openldap 2.4.40 servers running > > RHEL7. I need to enforce the following: disable accounts that have been > > inactive for 180 days. In the past we were able to do this by simply > > adding the shadowInactive attribute to each account: shadowInactive 180. > > But with the new openldap, it appears there is no equivalent attribute?? > > > > > > OpenLDAP ppolicy has never supported that attribute, as far as I know. I > > believe you are looking for the contrib nssov overlay, which does support > > it. > > > > Hope that helps! > > > > Regards, > > Quanah > > > > > > > > -- > > > > Quanah Gibson-Mount > > Product Architect > > Symas Corporation > > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > > <http://www.symas.com> > > > > -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: openldap 2.4.40 ppolicy module and shadowInactive equivalent
by Quanah Gibson-Mount 25 Oct '16

25 Oct '16

--On Monday, October 24, 2016 7:43 PM +0000 "Real, Elizabeth (392K)" <Elizabeth.Real(a)jpl.nasa.gov> wrote: > I setup a password policy overlay on my openldap 2.4.40 servers running > RHEL7. I need to enforce the following: disable accounts that have been > inactive for 180 days. In the past we were able to do this by simply > adding the shadowInactive attribute to each account: shadowInactive 180. > But with the new openldap, it appears there is no equivalent attribute?? OpenLDAP ppolicy has never supported that attribute, as far as I know. I believe you are looking for the contrib nssov overlay, which does support it. Hope that helps! Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

ditContentRule + cn=config
by Dieter Klünter 25 Oct '16

25 Oct '16

Hi, it seems that slapd, starting with -F, is not able to read schema information, prior to cn=config, ./slapd -h "ldap://:9007/ ldapi:///" -F ../etc/openldap/slapd.d -d256 580f76bd config error processing cn=config: olcDitContentRules: ObjectClass not found: "2.16.840.1.113730.3.2.2" 580f76bd slapd stopped. but with -f schema information is read prior to global and database specific configuration. ./slapd -h "ldap://:9007/ ldapi:///" -f ../etc/openldap/slapd.conf -d256 580f76e4 slapd starting Has this been fixed already? although I couldn't find a report in ITS. -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E

1 0

Provider-Consumer replication 2.4 OLC (second attempt)
by Ted Hyde 25 Oct '16

25 Oct '16

1 0

Disk full, 15GB of logfiles containing timestamps
by Dan Hawkes 25 Oct '16

25 Oct '16

We've encountered a issue where openldap seems to be writing huge volumes of logs for authentication failures. Having freed up some space and run `db_recover` (which cleared out the log files), then restarted openldap, it's again written ~120MB of logs for 200 failed authentication requests. The log files are almost entirely timestamps: 0Z20161022152331.314499Z20161022152331.325384Z20161022152331.330788Z201610221523 31.350547Z20161022152331.355448Z20161022152331.369422Z20161022152331.374363Z2016 1022152331.390477Z20161022152331.410878Z20161022152331.427888Z20161022152331.438 814Z20161022152331.445610Z20161022152331.451377Z20161022152331.478571Z2016102215 2331.484278Z20161022152331.500831Z20161022152331.506391Z20161022152331.517584Z20 161022152331.522518Z20161022152331.542621Z20161022152331.547733Z20161022152331.5 66601Z20161022152331.571819Z20161022152331.582696Z20161022152331.588227Z20161022 152331.613213Z20161022152331.618932Z20161022152331.648696Z20161022152331.654433Z 20161022152331.668033Z20161022152331.677784Z20161022152331.685107Z20161022152331 .679736Z20161022152331.710191Z20161022152331.733564 OpenLDAP: slapd 2.4.40 Any ideas why this is happening?

2 1

How do I know proxy cache works or not?
by JWD 25 Oct '16

25 Oct '16

How do I know proxy cache works or not? And what cache hit?what is not? -------------- JWD

3 3

openldap 2.4.40 ppolicy module and shadowInactive equivalent
by Real, Elizabeth (392K) 24 Oct '16

24 Oct '16

Hello, I setup a password policy overlay on my openldap 2.4.40 servers running RHEL7. I need to enforce the following: disable accounts that have been inactive for 180 days. In the past we were able to do this by simply adding the shadowInactive attribute to each account: shadowInactive 180. But with the new openldap, it appears there is no equivalent attribute?? http://www.openldap.org/doc/admin24/ http://www.zytrax.com/books/ldap/ch6/ppolicy.html Thank you, Liz

1 0

Disable Linux commands for LDAP users
by Bernard Fay 24 Oct '16

24 Oct '16

Hi, I would like to able to disable some Linux commands for LDAP users. One of those commands is passwd. Because of some specific needs, when the LDAP users have to change their password a special script has been created for this purpose. They MUST not use passwd but this command is still required by local users. Does one of you might have an idea to disable Linux commands for LDAP users only? Thanks, Bernard

4 4

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical October 2016