October 2016 - openldap-technical

by Quanah Gibson-Mount

--On Tuesday, October 25, 2016 6:28 PM +0200 Dieter Klünter <dieter(a)dkluenter.de> wrote: > Hi, > it seems that slapd, starting with -F, is not able to read schema > information, prior to cn=config, > ./slapd -h "ldap://:9007/ ldapi:///" -F ../etc/openldap/slapd.d -d256 > 580f76bd config error processing cn=config: olcDitContentRules: > ObjectClass not found: "2.16.840.1.113730.3.2.2" 580f76bd slapd stopped. > > but with -f schema information is read > prior to global and database specific configuration. > ./slapd -h "ldap://:9007/ ldapi:///" -f ../etc/openldap/slapd.conf -d256 > 580f76e4 slapd starting > > Has this been fixed already? although I couldn't find a report in ITS. I doubt it has been fixed. I suggest filing an ITS with configuration(s) that reproduce the issue. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

6 years, 5 months

1
0
0 / 0

Re: openldap 2.4.40 ppolicy module and shadowInactive equivalent

by Quanah Gibson-Mount

Hi Elizabeth, You would likely need to compile it yourself, as I'm not aware of any distributions that ship NSSOV (although some may). There is more information on it here: <http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=contrib/...> Hope that helps! Regards, Quanah --On Tuesday, October 25, 2016 5:09 PM +0000 "Real, Elizabeth (392K)" <Elizabeth.Real(a)jpl.nasa.gov> wrote: > > > Quanah, > > > > I found little information on this contrib nssov overlay: > http://www.openldap.org/doc/admin24/guide.html#nssov > > > > How do you implement it? Is it similar to adding the ppolicy overlay? > > > > > Thank you, > > Liz > > > > From: Quanah Gibson-Mount <quanah(a)symas.com> > Reply-To: Quanah Gibson-Mount <quanah(a)symas.com> > Date: Monday, October 24, 2016 at 6:29 PM > To: "Real, Elizabeth (392K)" <Elizabeth.Real(a)jpl.nasa.gov>, > "openldap-technical(a)openldap.org" <openldap-technical(a)openldap.org> > Subject: Re: openldap 2.4.40 ppolicy module and shadowInactive equivalent > > > > > --On Monday, October 24, 2016 7:43 PM +0000 "Real, Elizabeth (392K)" > > <Elizabeth.Real(a)jpl.nasa.gov> wrote: > > > > > > I setup a password policy overlay on my openldap 2.4.40 servers running > > RHEL7. I need to enforce the following: disable accounts that have been > > inactive for 180 days. In the past we were able to do this by simply > > adding the shadowInactive attribute to each account: shadowInactive 180. > > But with the new openldap, it appears there is no equivalent attribute?? > > > > > > OpenLDAP ppolicy has never supported that attribute, as far as I know. I > > believe you are looking for the contrib nssov overlay, which does support > > it. > > > > Hope that helps! > > > > Regards, > > Quanah > > > > > > > > -- > > > > Quanah Gibson-Mount > > Product Architect > > Symas Corporation > > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > > <http://www.symas.com> > > > > -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

6 years, 5 months

1
0
0 / 0

Re: openldap 2.4.40 ppolicy module and shadowInactive equivalent

by Quanah Gibson-Mount

--On Monday, October 24, 2016 7:43 PM +0000 "Real, Elizabeth (392K)" <Elizabeth.Real(a)jpl.nasa.gov> wrote: > I setup a password policy overlay on my openldap 2.4.40 servers running > RHEL7. I need to enforce the following: disable accounts that have been > inactive for 180 days. In the past we were able to do this by simply > adding the shadowInactive attribute to each account: shadowInactive 180. > But with the new openldap, it appears there is no equivalent attribute?? OpenLDAP ppolicy has never supported that attribute, as far as I know. I believe you are looking for the contrib nssov overlay, which does support it. Hope that helps! Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

6 years, 5 months

2
1
0 / 0

ditContentRule + cn=config

by Dieter Klünter

Hi, it seems that slapd, starting with -F, is not able to read schema information, prior to cn=config, ./slapd -h "ldap://:9007/ ldapi:///" -F ../etc/openldap/slapd.d -d256 580f76bd config error processing cn=config: olcDitContentRules: ObjectClass not found: "2.16.840.1.113730.3.2.2" 580f76bd slapd stopped. but with -f schema information is read prior to global and database specific configuration. ./slapd -h "ldap://:9007/ ldapi:///" -f ../etc/openldap/slapd.conf -d256 580f76e4 slapd starting Has this been fixed already? although I couldn't find a report in ITS. -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E

6 years, 5 months

1
0
0 / 0

Provider-Consumer replication 2.4 OLC (second attempt)

by Ted Hyde

6 years, 5 months

1
0
0 / 0

Disk full, 15GB of logfiles containing timestamps

by Dan Hawkes

We've encountered a issue where openldap seems to be writing huge volumes of logs for authentication failures. Having freed up some space and run `db_recover` (which cleared out the log files), then restarted openldap, it's again written ~120MB of logs for 200 failed authentication requests. The log files are almost entirely timestamps: 0Z20161022152331.314499Z20161022152331.325384Z20161022152331.330788Z201610221523 31.350547Z20161022152331.355448Z20161022152331.369422Z20161022152331.374363Z2016 1022152331.390477Z20161022152331.410878Z20161022152331.427888Z20161022152331.438 814Z20161022152331.445610Z20161022152331.451377Z20161022152331.478571Z2016102215 2331.484278Z20161022152331.500831Z20161022152331.506391Z20161022152331.517584Z20 161022152331.522518Z20161022152331.542621Z20161022152331.547733Z20161022152331.5 66601Z20161022152331.571819Z20161022152331.582696Z20161022152331.588227Z20161022 152331.613213Z20161022152331.618932Z20161022152331.648696Z20161022152331.654433Z 20161022152331.668033Z20161022152331.677784Z20161022152331.685107Z20161022152331 .679736Z20161022152331.710191Z20161022152331.733564 OpenLDAP: slapd 2.4.40 Any ideas why this is happening?

6 years, 5 months

2
1
0 / 0

How do I know proxy cache works or not?

by JWD

How do I know proxy cache works or not? And what cache hit?what is not? -------------- JWD

6 years, 5 months

3
3
0 / 0

openldap 2.4.40 ppolicy module and shadowInactive equivalent

by Real, Elizabeth (392K)

Hello, I setup a password policy overlay on my openldap 2.4.40 servers running RHEL7. I need to enforce the following: disable accounts that have been inactive for 180 days. In the past we were able to do this by simply adding the shadowInactive attribute to each account: shadowInactive 180. But with the new openldap, it appears there is no equivalent attribute?? http://www.openldap.org/doc/admin24/ http://www.zytrax.com/books/ldap/ch6/ppolicy.html Thank you, Liz

6 years, 5 months

1
0
0 / 0

Disable Linux commands for LDAP users

by Bernard Fay

Hi, I would like to able to disable some Linux commands for LDAP users. One of those commands is passwd. Because of some specific needs, when the LDAP users have to change their password a special script has been created for this purpose. They MUST not use passwd but this command is still required by local users. Does one of you might have an idea to disable Linux commands for LDAP users only? Thanks, Bernard

6 years, 5 months

4
4
0 / 0

How to disable referrals when proxy windows AD?

by JWD

I config a proxy cache, using windows AD as backend. When I run ldapsearch, it always search reference for minuts, like this: # search reference ref: ldap://ForestDnsZones.test.com/DC=ForestDnsZones,DC=test,DC=com # search reference ref: ldap://DomainDnsZones.test.com/DC=DomainDnsZones,DC=test,DC=com # search reference ref: ldap://test.com/CN=Configuration,DC=test,DC=com Infact, there is no reference at all. How to disable proxy cache referrals? Below is my proxy cache config: database ldap suffix "dc=test,dc=com" uri ldap://192.168.127.15/ #uri ldap://192.168.127.15/dc=test,dc=com rootdn "cn=root,dc=test,dc=com" rootpw {SSHA}Hpc7nbJEdos8iCUAzRNa/rs5ffb0/+mD overlay pcache pcache bdb 100000 1 1000 100 #pcacheAttrset 0 name mail sAMAccountName telephonenumber pcacheAttrset 0 name mail telephonenumber pcacheTemplate (cn=) 0 3600 pcacheTemplate (&(sn=)(givenName=)) 0 3600 pcacheTemplate (&(departmentNumber=)(secretary=*)) 0 3600 directory /var/lib/ldap/test CacheSize 1000 DNcacheSize 2000 IDLcacheSize 3000 CacheFree 10 Checkpoint 1024 10 DbConfig set_cachesize 0 104857600 1 DbConfig set_data_dir db DbConfig set_lg_dir logs DbConfig set_lg_regionmax 1048576 DbConfig set_lg_max 20971520 DbConfig set_lg_bsize 2097152 DbConfig set_flags DB_LOG_AUTOREMOVE DbConfig set_flags DB_TXN_NOSYNC index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index entryCSN,entryUUID eq,pres -------------- JWD

6 years, 5 months

2
1
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical October 2016