openldap-technical November 2016

openldap-technical@openldap.org

28 participants
53 discussions

Re: Provider-Consumer replication 2.4 OLC (second attempt)
by Quanah Gibson-Mount 01 Nov '16

01 Nov '16

--On Friday, October 28, 2016 9:50 AM -0400 Ted Hyde <laserted(a)gmail.com> wrote: > Quanah - thanks for the response. Sorry to insult if I did - but thank > you, I DID read the admin guide. Which as you have also pointed out uses > slapd.conf examples. Since I am not knee-deep in commercial OpenLdap > configuration every day (I am just a lowly IT admin, not a > paid-to-openldap-person) I would disagree in that your comment that > "conversion to cn=config" process isn't trivial, personally I get quite > swamped by it, but push through as best I can. But if you're offering to > convert my sample configs for me, I'd be happy to share them with you. You can convert your sample configs via the slaptest command, as documented. > Or > perhaps you could help the community by providing some OLC config > examples for the admin guide, that way us peons would be able to use that > as our only official source instead of having to google to find "Random" > help. My point was more that converting examples in the admin guide from slapd.conf to cn=config is fairly trivial. For example, if we look at section 18.3.1.2 in the admin guide: database mdb maxsize 1073741824 suffix dc=Example,dc=com rootdn dc=Example,dc=com directory /var/ldap/db index objectclass,entryCSN,entryUUID eq overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 this is rather trivially converted to: dn: olcDatabase={1}mdb objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcSuffix: dc=example,dc=com olcRootDN: dc=example,dc=com olcDbDirectory: /var/ldap/db olcDbIndex: objectClass eq olcDbIndex: entryUUID eq olcDbIndex: entryCSN eq dn: olcOverlay={0}syncprov,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcSpCheckpoint: 100 10 olcSpSessionlog: 100 etc. Converting to cn=config from slapd.conf is not particularly difficult. > I *can* move to refreshAndPersist; but the service provides two > documented options (information I got from reading the admin guide), the > description for refreshOnly best fits my scenario and needs. I didn't > read any reason as to *not* use - perhaps you're aware of a bug report > that refreshOnly is broken? I'm aware that operating in refreshOnly is problematic, and it is advise not to use it. If you want to persist in using it, I certainly can't stop you. ;) If/when I find time to rewrite the admin guide, removing it from the examples will be one of the first steps I take. > Perhaps my research (which I'm sure isn't as broad as yours) just seemed > to point to the fact that openldap will/may be depreciating the > slapd.conf procedures, and that everyone should get on board with OLC as > soon as possible. While I can perform the setup with slapd.conf (as noted > in the admin guide), I was hoping to practice some useful technique I > could use in the future. Again, as noted in the documentation, you can set up one time with slapd.conf, and then move forward with converting it to cn=config via slaptest, and then just use cn=config from that point forward, using ldap* commands to make updates as necessary. If you want some further examples of cn=config, you may like the following: <https://git.zimbra.com/repos/zimbra-foss/ZimbraServer/conf/ldap/config/> Which has a basic cn=config layout for a standalone server with a suffix of "" and a few overlays loaded as a starting point. You may also be interested in the tools I wrote for manipulating cn=config to use as examples: <https://git.zimbra.com/repos/zimbra-foss/ZimbraServer/src/libexec/zmldapena…> <https://git.zimbra.com/repos/zimbra-foss/ZimbraServer/src/libexec/zmldapena…> <https://git.zimbra.com/repos/zimbra-foss/ZimbraServer/src/libexec/zmldaprep…> <https://git.zimbra.com/repos/zimbra-foss/ZimbraServer/src/libexec/zmldapmmr…> etc. While bits of it are specific to Zimbra, the ideas behind updating/modifying cn=config are universal. On the documentation, I would note that it is a community effort, and anyone can contribute updates, etc, via the ITS system. The sad fact is, many people complain about the documentation, but very few ever step up and contribute back, which means that it often languishes. I hope the above helps. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

password sync issues
by Arun Gupta 01 Nov '16

01 Nov '16

Hi, I have configured 2 ldap tree, one for unix account (ou=User) (below is sample ldif) dn: uid=2011150,ou=User,dc=acer,dc=in empID: 2011150 username: test1 cn: test1 centre: PN objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount oldempid: 1150 mail: test1(a)acer.in givenName: test1 uid: 2011150 shadowLastChange: 15590 loginShell: /bin/bash uidNumber: 11150 gidNumber: 11150 homeDirectory: /mbox4.2/test1 userPassword: {SHA}1SrgdEGUPa/U6KM43Kq9xTgnI7A= and another for samba tree (ou=samba) - (below is sample tree) dn: uid=test1,ou=samba,dc=acer,dc=in uid: test1 sambaSID: S-1-5-21-4079184197-2446238136-3299756537-1005 displayName: test1 sambaAcctFlags: [UX ] objectClass: sambaSamAccount objectClass: account sambaLMPassword: C2F63206FC9CF08A1AA818381E4E281B sambaNTPassword: 0242A7FEC5CD294F916925766089E573 and I am able to authenticate with samba configuration. But I am not able to find out how the password will sync means if user change his password then how NT password will reflect (here two different tree). Is it possible to sync, if yes please please help me out. -- Thanks & Regards, Arun Kumar Gupta ------------------------------------------------------------------------------------------------------------------------------- [ C-DAC is on Social-Media too. Kindly follow us at: Facebook: https://www.facebook.com/CDACINDIA & Twitter: @cdacindia ] This e-mail is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies and the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email is strictly prohibited and appropriate legal action will be taken. -------------------------------------------------------------------------------------------------------------------------------

1 0

Re: Public LDAP server, what do I need to know?
by Quanah Gibson-Mount 31 Oct '16

31 Oct '16

--On Sunday, October 16, 2016 3:29 PM -0400 John Lewis <oflameo2(a)gmail.com> wrote: > I want to host a LDAP server that contains a directory that contains the > offices of local Representatives and Public Servants, the issues they > are responsible for, and their names. I would like anyone who wants to > to browse it or put up front ends. > > Is there anything in particular that I should keep in mind? Keep your tree as flat as possible, as deep as necessary, is the guiding wisdom. ;) --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical November 2016