LMDB and Referential transparency
by Pierre-Étienne Meunier
Hi,
I love LMDB, thanks for writing it! I wonder whether it would be possibly to add the following feature:
When I change one of the databases (called for instance A) in my environment, I'd like to be able to still keep a copy of A as it was before, and make a new copy B, that would share all its memory with A, except the changes.
In other words, I'd like to have a function like:
int mdb_fork_db(MDB_txn* txn, MDB_dbi dbi_a, char* B, int open_dbi_flags, MDB_dbi* dbi_b),
which would open a new database dbi_b with name B, and copy the B-Tree root of database "dbi_a" as the root of "dbi_b".
After this, any put/delete on A would update A only, and any put/delete on new_name would update new_name only.
Cheers,
Pierre
Here is an example of the semantics I would find really great:
#include<lmdb.h>
void main(){
MDB_env *env;
mdb_env_create(&env);
mdb_env_open(env,"/tmp/test.lmdb",0,0755);
MDB_txn *txn;
mdb_env_set_maxdbs(env,2);
mdb_txn_begin(env,NULL,0,&txn);
MDB_dbi db_a;
mdb_dbi_open(txn,"A",MDB_CREATE,&db_a);
{
char*k_="shared1";
char*v_="value 1";
MDB_val k = { mv_data:k_,mv_size:sizeof(k_) };
MDB_val v = { mv_data:v_,mv_size:sizeof(v_) };
mdb_put(txn,db_a,&k,&v,0);
}
{
char*k_="shared2";
char*v_="value 2";
MDB_val k = { mv_data:k_,mv_size:sizeof(k_) };
MDB_val v = { mv_data:v_,mv_size:sizeof(v_) };
mdb_put(txn,db_a,&k,&v,0);
}
MDB_dbi db_b;
mdb_fork_db(txn,db,"B",MDB_CREATE,&db_b);
{
char*k_="BKey";
char*v_="Value B";
MDB_val k = { mv_data:k_,mv_size:sizeof(k_) };
MDB_val v = { mv_data:v_,mv_size:sizeof(v_) };
mdb_put(txn,db_b,&k,&v,0);
}
{
char*k_="AKey";
char*v_="Value A";
MDB_val k = { mv_data:k_,mv_size:sizeof(k_) };
MDB_val v = { mv_data:v_,mv_size:sizeof(v_) };
mdb_put(txn,db_a,&k,&v,0);
}
// Now, A has {shared1, shared2, AKey}, and B has {shared1,shared2,BKey}.
{
char*k_="shared1";
MDB_val k = { mv_data:k_,mv_size:sizeof(k_) };
mdb_del(txn,db_b,&k,NULL);
}
// Now, A has {shared1, shared2, AKey}, and B has {shared2,BKey}.
mdb_drop(db_a);
// Now, the environment has just a single database B, with keys {shared2, BKey}.
mdb_txn_commit(txn);
mdb_env_close(env);
}
7 years, 7 months
chaining for a single backend?
by Marc Patermann
Hi,
I want to activate chaining for a single backend.
The server is a replication consumer and has a few glued database backends.
Only one is containing linux accounts with ppolicy overlay.
This should use chaining to replicate the ppolicy changes which
otherwise stay local.
Can this be achieved?
Marc
7 years, 7 months
Unable to do ldapsearch, but testsaslauthd works in OpenLDAP 2.4
by Ravi K Althuru
We have OpenLDAP 2.3 running on Linux. It is set up in SASL mode authenticating
against multiple ADs. Everything works fine there, which is our Production env.
We recently installed a new instance of OpenLDAP 2.4.23 running on RedHat Linux 6
in our Dev and QA env. Then, we moved the slapd.conf and slapd-meta.conf file to
the new instance, and created the required users.
When we run testsaslauthd, we are successfully able to authenticate against the
appropriate AD that the user is under.
testsaslauthd -u ravi@SONEPAR -p secret - WORKS
ldapsearch -x -D uid=ravi,ou=People,ou=company,dc=inside,dc=devserver,dc=com -w
secret
results in: ldap_bind: Invalid credentials (49)
But when we do a ldap search or connect using LDAP Browser, the user is not able
to get autheticated. We are not able to bind to the OpenLDAP by using the same credentials.
I get a Invalid credentials err 49, which indcates either credentials are incorrect,
which in this case its not, or the bind info is incorrect.
I seems as though the user is not able to bind to OpenLDAP 2.4 or it does not know how
to. When I change the password form {SASL}ralthuru@SONEPAR to a text say "secret", it works fine.
Here is the log output from the same user authetication in OpenLDAP 2.3 and OpenLDAP 2.4:
SUCCESS - QA 2.4 - testsaslauthd -u ralthuru@SONEPAR -p secret
Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 fd=8 ACCEPT from IP=127.0.0.1:44500 (IP=127.0.0.1:391)
Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=0 BIND dn="cn=Manager,dc=local" method=128
Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=0 BIND dn="cn=Manager,dc=local" mech=SIMPLE ssf=0
Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=0 RESULT tag=97 err=0 text=
Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=1 SRCH base="ou=SONEPAR,dc=local" scope=2 deref=0 filter="(|(uid=ralthuru)(?SMACCOUNTNAME=ralthuru))"
Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=1 SRCH attr=dn
Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=2 BIND anonymous mech=implicit ssf=0
Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=2 BIND dn="cn=Ravi Althuru,cn=Users,ou=SONEPAR,dc=local" method=128
Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=2 BIND dn="cn=Ravi Althuru,cn=Users,ou=SONEPAR,dc=local" mech=SIMPLE ssf=0
Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=2 RESULT tag=97 err=0 text=
SUCCESS - QA 2.4 - login as cn=Manager/Password1 from LDAP Browser
Feb 2 16:43:09 pabeldapd01-new slapd[65323]: conn=1004 fd=12 ACCEPT from IP=10.108.138.66:64931 (IP=0.0.0.0:389)
Feb 2 16:43:09 pabeldapd01-new slapd[65323]: conn=1004 op=0 BIND dn="cn=Manager,dc=inside,dc=sdusadevl,dc=com" method=128
Feb 2 16:43:09 pabeldapd01-new slapd[65323]: conn=1004 op=0 BIND dn="cn=Manager,dc=inside,dc=sdusadevl,dc=com" mech=SIMPLE ssf=0
Feb 2 16:43:09 pabeldapd01-new slapd[65323]: conn=1004 op=0 RESULT tag=97 err=0 text=
Feb 2 16:43:12 pabeldapd01-new slapd[65323]: conn=1004 op=1 UNBIND
Feb 2 16:43:12 pabeldapd01-new slapd[65323]: conn=1004 fd=12 closed
FAIL - QA 2.4 - login as uid=ralthuru/Sonepar123 from LDAP Browser
Feb 2 16:43:35 pabeldapd01-new slapd[65323]: conn=1005 fd=12 ACCEPT from IP=10.108.138.66:64939 (IP=0.0.0.0:389)
Feb 2 16:43:35 pabeldapd01-new slapd[65323]: conn=1005 op=0 BIND dn="uid=ralthuru,ou=Sonepar,ou=People,dc=inside,dc=sdusadevl,dc=com" mthod=128
Feb 2 16:43:35 pabeldapd01-new slapd[65323]: conn=1005 op=0 RESULT tag=97 err=49 text=
Feb 2 16:43:35 pabeldapd01-new slapd[65323]: conn=1005 op=1 UNBIND
Feb 2 16:43:35 pabeldapd01-new slapd[65323]: conn=1005 fd=12 closed
SUCCESS - PRODUCTION 2.3 - testsaslauthd -u ralthuru@SONEPAR -p secret
Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=22 BIND anonymous mech=implicit ssf=0
Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=22 BIND dn="cn=Manager,dc=local" method=128
Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=22 BIND dn="cn=Manager,dc=local" mech=SIMPLE ssf=0
Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=22 RESULT tag=97 err=0 text=
Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=23 SRCH base="ou=SONEPAR,dc=local" scope=2 deref=0 filter="(|(uid=ralthuru)(SAMACCOUNTNAME=ralthuru))"
Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=23 SRCH attr=dn
Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=23 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=24 BIND anonymous mech=implicit ssf=0
Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=24 BIND dn="cn=Althuru\2C Ravi,ou=Accenture,ou=Consultants,ou=SONEPAR,dc=local" method=128
Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=24 BIND dn="cn=Althuru\2C Ravi,ou=Accenture,ou=Consultants,ou=SONEPAR,dc=local" mech=SIMPLE ssf=0
Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=24 RESULT tag=97 err=0 text=
SUCCESS - PRODUCTION 2.3 - login as uid=ralthuru/secret from LDAP Browser
eb 3 10:44:45 pavfldapp01 slapd[4806]: conn=50825 fd=15 ACCEPT from IP=10.108.138.66:54298 (IP=0.0.0.0:389)
Feb 3 10:44:45 pavfldapp01 slapd[4806]: conn=50825 op=0 BIND dn="uid=ralthuru,ou=Sonepar,ou=People,dc=inside,dc=sonepar-us,dc=com" method=128
Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=25 BIND anonymous mech=implicit ssf=0
Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=25 BIND dn="cn=Manager,dc=local" method=128
Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=25 BIND dn="cn=Manager,dc=local" mech=SIMPLE ssf=0
Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=25 RESULT tag=97 err=0 text=
Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=26 SRCH base="ou=SONEPAR,dc=local" scope=2 deref=0 filter="(|(uid=ralthuru)(SAMACCOUNTNAME=ralthuru))"
Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=26 SRCH attr=dn
Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=26 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=27 BIND anonymous mech=implicit ssf=0
Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=27 BIND dn="cn=Althuru\2C Ravi,ou=Accenture,ou=Consultants,ou=SONEPAR,dc=local" method=128
Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=27 BIND dn="cn=Althuru\2C Ravi,ou=Accenture,ou=Consultants,ou=SONEPAR,dc=local" mech=SIMPLE ssf=0
Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=27 RESULT tag=97 err=0 text=
Feb 3 10:44:45 pavfldapp01 slapd[4806]: conn=50825 op=0 BIND dn="uid=ralthuru,ou=Sonepar,ou=People,dc=inside,dc=sonepar-us,dc=com" mech=SIMPLE ssf=0
Feb 3 10:44:45 pavfldapp01 slapd[4806]: conn=50825 op=0 RESULT tag=97 err=0 text=
Feb 3 10:44:47 pavfldapp01 slapd[4806]: conn=50825 op=1 UNBIND
SUCCESS - PRODUCTION 2.3 - LDAP Search command as uid=ralthuru/secret
Feb 3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 fd=15 ACCEPT from IP=10.199.204.205:44578 (IP=0.0.0.0:389)
Feb 3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 op=0 BIND dn="uid=ralthuru,ou=Sonepar,ou=People,dc=inside,dc=sonepar-us,dc=com" method=128
Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=28 BIND anonymous mech=implicit ssf=0
Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=28 BIND dn="cn=Manager,dc=local" method=128
Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=28 BIND dn="cn=Manager,dc=local" mech=SIMPLE ssf=0
Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=28 RESULT tag=97 err=0 text=
Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=29 SRCH base="ou=SONEPAR,dc=local" scope=2 deref=0 filter="(|(uid=ralthuru)(SAMACCOUNTNAME=ralthuru))"
Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=29 SRCH attr=dn
Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=29 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=30 BIND anonymous mech=implicit ssf=0
Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=30 BIND dn="cn=Althuru\2C Ravi,ou=Accenture,ou=Consultants,ou=SONEPAR,dc=local" method=128
Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=30 BIND dn="cn=Althuru\2C Ravi,ou=Accenture,ou=Consultants,ou=SONEPAR,dc=local" mech=SIMPLE ssf=0
Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=30 RESULT tag=97 err=0 text=
Feb 3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 op=0 BIND dn="uid=ralthuru,ou=Sonepar,ou=People,dc=inside,dc=sonepar-us,dc=com" mech=SIMPLE ssf=0
Feb 3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 op=0 RESULT tag=97 err=0 text=
Feb 3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 op=1 SRCH base="dc=inside,dc=sonepar-us,dc=com" scope=2 deref=0 filter="(objectClass=*)"
Feb 3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 op=1 SEARCH RESULT tag=101 err=4 nentries=500 text=
Feb 3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 op=2 UNBIND
Feb 3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 fd=15 closed
Here is the ldap.conf
URI ldap://10.99.19.179
BASE dc=inside,dc=sdusadevl,dc=com
TLS_REQCERT never
Here is the slapd.conf, only the relevant info:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/schema_extension.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/lib64/openldap
loglevel 256
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix "dc=inside,dc=sdusadevl,dc=com"
rootdn "cn=Manager,dc=inside,dc=sdusadevl,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw xyz123
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index uniqueMember eq,pres
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com(a)EXAMPLE.COM
# adding to ignore error for slaptest
cachesize 2000
sasl-host localhost
sasl-secprops none
----------------------
Here is the slapd-meta.conf containing the AD where the user ralthuru is autheticating to:
uri ldap://sdusa-dc-01.sdusadevl.com:3268/ou=SONEPAR,dc=local
lastmod off
suffixmassage "ou=SONEPAR,dc=local" "dc=sdusadevl,dc=com"
idassert-bind bindmethod=simple
binddn="CN=Vignette\\, Service Account,OU=Vignette Service,OU=Vignette,OU=Enterpise Systems,DC=sdusadevl,DC=com"
credentials="hiddenpassword"
mode=none
flags=non-prescriptive
idassert-authzFrom "dn.exact:cn=Manager,dc=local"
I have searched across many forums, compared the set up on the OpenLDAP 2.3 and
OpenLDAP 2.4 instances and cannot find any differences.
Any suggestions on how to resolve this is appreciated!
7 years, 7 months
Nested groups and sssd filters
by Miltos Tereres
Hello,
I have a groupOfUniqueNames in my ldap (xv64ut09), which has as a uniqueMember the DN of another groupOfUniqueNames. In this last group are my user values.
In my sssd configuration I use a filter like this:
ldap_user_search_base = ou=people,dc=fu,dc=bar,dc=com??(&(memberOf=cn=xv64ut09,ou=groups,dc=fu,dc=bar,dc=com)(objectClass=*))
The problem is that this doesn't work if the user values are in a nested group, it only works if the users are in my main group (xv64ut09).
I would guess that linux / sssd can support this type of nesting. Is there a change that needs to be done from the ldap server side, in the schema, or maybe something else that I have missed? I am using the rfc2307bis...
Thanks.
7 years, 7 months
Replication between 2.4.21 and 2.4.31
by Jason J. W. Williams
Hello,
For various reasons we may need to set up N-way multimaster replication
between OpenLDAP 2.4.21 and 2.4.31. Do folks see problems running different
patch releases in the same replication group?
-J
7 years, 7 months
Crash on ldap 2.4.41 on RedHat using mdb.
by ping-shin ching
Hi Folks,
I upload data approx (15 million entries) using slapadd. Then start the server and run some searches. Not all searches crash- only some. I get some results before before slapd core dumps. Do I need to furnish any more information?
gcc (GCC) 4.4.7 20120313 (Red Hat 4.4.7-3)
Configure options...
--without-cyrus-sasl \
--disable-bdb \
--disable-hdb \
--enable-ldap \
--enable-mdb \
--enable-constraint \
--enable-accesslog; \
backtrace...
Core was generated by `./slapd -h ldap://:1389 -f /data/openldap24/etc/openldap/slapd.conf'.
Program terminated with signal 11, Segmentation fault.
#0 0x00000000004940fa in mdb_node_read (txn=0x7f9dec102b00, leaf=0x7f9e3914c736, data=0x7f9df15f6020) at ./../../../libraries/liblmdb/mdb.c:5350
5350 data->mv_size = NODEDSZ(leaf);
Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.166.el6_7.3.x86_64
(gdb) where
#0 0x00000000004940fa in mdb_node_read (txn=0x7f9dec102b00, leaf=0x7f9e3914c736, data=0x7f9df15f6020) at ./../../../libraries/liblmdb/mdb.c:5350
#1 0x00000000004978db in mdb_cursor_set (mc=0x7f9dec104480, key=0x7f9df366c320, data=0x7f9df15f6020, op=MDB_SET, exactp=<value optimized out>) at ./../../../libraries/liblmdb/mdb.c:5787
#2 0x000000000049818a in mdb_cursor_get (mc=0x7f9dec104480, key=0x7f9df366c320, data=0x7f9df15f6020, op=<value optimized out>) at ./../../../libraries/liblmdb/mdb.c:5952
#3 0x00000000004a2c81 in mdb_waitfixup (op=0x7f9dec102570, ww=0x7f9df37fc460, mci=<value optimized out>, mcd=0x7f9dec104480, scopes=0x7f9df12f5010) at search.c:377
#4 0x00000000004a52bc in mdb_search (op=0x7f9dec102570, rs=<value optimized out>) at search.c:1114
#5 0x000000000048179e in overlay_op_walk (op=0x7f9dec102570, rs=0x7f9df37fda30, which=<value optimized out>, oi=0x214ca50, on=0x0) at backover.c:677
#6 0x0000000000482213 in over_op_func (op=0x7f9dec102570, rs=<value optimized out>, which=<value optimized out>) at backover.c:730
#7 0x000000000041f871 in fe_op_search (op=0x7f9dec102570, rs=0x7f9df37fda30) at search.c:402
#8 0x000000000042009c in do_search (op=0x7f9dec102570, rs=0x7f9df37fda30) at search.c:247
#9 0x000000000041d959 in connection_operation (ctx=0x7f9df37fdb70, arg_v=0x7f9dec102570) at connection.c:1155
#10 0x000000000041e0cd in connection_read_thread (ctx=0x7f9df37fdb70, argv=<value optimized out>) at connection.c:1291
#11 0x00000000004ef7a0 in ldap_int_thread_pool_wrapper (xpool=0x20af380) at tpool.c:696
#12 0x00000034a7c079d1 in start_thread () from /lib64/libpthread.so.0
#13 0x00000034a78e8b5d in epoll_pwait () from /lib64/libc.so.6
#14 0x0000000000000000 in ?? ()
7 years, 7 months
ldap separate OU-administrator account
by Gary Spencer
Hi,
I need some guidance, I have a simple DIT with users in the users OU, and a separate OU for admins.
In addition to the Manager, I have created an admin2 account in the admins OU, however default permissions don't allow the admin2.admins.domain.tld to create users in the users.domain.tld OU.
I also don't want admin2 to have equal permissions to Manager, I am giving that account away to our users administrator and they only need access to create/modify/delete users under the users OU (on basis of least privilege I don't want them to have full access).
I am using dynamic ldap, I have already created the users and admin accounts, I just need guidance on adding the ACL's.
I am a complete novice with openldap, what do I need to do to grant the correct olcAccess so that the admin2 account can create users in the users.domain.tld OU ?
I'd also like a read-only admin in the admins OU that can view all details for all users under users OU ?
And cream on top of the cake, I'd like to prohibit accounts in the users OU from looking at any of the rest of the LDAP objects other than self ?
I think I'm right I need to modify the olcAccess access rules, but don't know how, current olcAccess rules follow:-
dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
<... CUT ...>
olcSuffix: dc=domain,dc=tld
olcRootDN: cn=Manager,dc=domain,dc=tld
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=domain,dc=tld" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=domain,dc=tld" write by * read
(I have tweaked the text output to replace our domain, please ignore any typos I may have inadvertently introduced)
I have read the admin guides and man pages, but I can't see clearly see what ldif stanzas I need to construct ?
Thanks in advance.
Gary Spencer
[cid:image001.jpg@01D16412.92EB2D10]<http://www.sis.tv/distribution/>
Whitehall Avenue | Kingston | Milton Keynes | MK10 0AX
www.sis.tv<http://www.sis.tv>
**********************************************************************
Satellite Information Services Limited. Registered Office: Whitehall Avenue, Kingston, Milton Keynes, Buckinghamshire, MK10 0AX. Company No. 4243307
SIS LIVE Limited. Registered Office: Whitehall Avenue, Kingston, Milton Keynes, Buckinghamshire, MK10 0AX. Company No. 5075598
The information in this email (which includes any files transmitted with it) is confidential and is intended for the addressee only. Unauthorized recipients are required to maintain confidentiality. If you have received this email in error please notify the sender immediately, destroy any copies and delete it from your computer system.
**********************************************************************
7 years, 7 months
Using TLS not seeing EXTERNAL as Using TLS not seeing EXTERNAL as supported SASL mechanism
by Bill MacAllister
I am working on using TLS on an OpenLDAP server and having issues.
Basically I can make a TLS connection, but I don't see EXTERNAL as
one of the supportedSASLMechanisms. (slapd 2.4.41+dfsg-1ubuntu2~dbp0
built with openssl)
Here is my ldapsearch:
$ ldapsearch -h ldap-test-master1.corp.dropbox.com -x -ZZ -b '' -s base supportedSASLMechanisms
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedSASLMechanisms
#
#
dn:
supportedSASLMechanisms: GS2-IAKERB
supportedSASLMechanisms: GS2-KRB5
supportedSASLMechanisms: SCRAM-SHA-1
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
# search result
search: 3
result: 0 Success
# numResponses: 2
Here is what I see in the server log:
2016-02-09T02:40:00.797598+00:00 ldap-test-master1 slapd[22379]: conn=1008 fd=14 ACCEPT from IP=172.17.8.240:47231 (IP=0.0.0.0:389)
2016-02-09T02:40:00.797640+00:00 ldap-test-master1 slapd[22379]: conn=1008 op=0 EXT oid=1.3.6.1.4.1.1466.20037
2016-02-09T02:40:00.797646+00:00 ldap-test-master1 slapd[22379]: conn=1008 op=0 STARTTLS
2016-02-09T02:40:00.797686+00:00 ldap-test-master1 slapd[22379]: conn=1008 op=0 RESULT oid= err=0 text=
2016-02-09T02:40:00.804071+00:00 ldap-test-master1 slapd[22379]: conn=1008 fd=14 TLS established tls_ssf=256 ssf=256
2016-02-09T02:40:00.804540+00:00 ldap-test-master1 slapd[22379]: conn=1008 op=1 BIND dn="" method=128
2016-02-09T02:40:00.804590+00:00 ldap-test-master1 slapd[22379]: conn=1008 op=1 RESULT tag=97 err=0 text=
2016-02-09T02:40:00.804931+00:00 ldap-test-master1 slapd[22379]: conn=1008 op=2 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
2016-02-09T02:40:00.804941+00:00 ldap-test-master1 slapd[22379]: conn=1008 op=2 SRCH attr=supportedSASLMechanisms
2016-02-09T02:40:00.805056+00:00 ldap-test-master1 slapd[22379]: conn=1008 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
2016-02-09T02:40:00.805483+00:00 ldap-test-master1 slapd[22379]: conn=1008 op=3 UNBIND
2016-02-09T02:40:00.805587+00:00 ldap-test-master1 slapd[22379]: conn=1008 fd=14 closed
What should I be looking at? What am I missing?
Thanks in advance,
Bill
7 years, 7 months
openldap 2.4.44 does not provide an slapd.d
by Mary Kao
Hello,
I compiled openldap 2.4.44 on scientific linux and discovered it didn't create a slapd.d directory.
There is however, a slapd.conf file.
Is this right?
If so, I would need to convert the slapd.conf file to slapd.d?
Thanks!
7 years, 7 months
Re: make posixGroup auxiliary in 2.4.40
by Chris
Michael Ströder wrote:
> Chris wrote:
>> I'm moving from OpenLDAP 2.2.x to 2.4.40 and have wasted hours trying
to
>> achieve the following:
>> mailGroup (Postfix) is used as structural class, posixGroup (NIS) as
auxiliary.
>> Anyway. I can't add rfc2307bis schema, because NIS is already included.
I've tried different methods to get rid of NIS, but they're not
working.
>> Is there any way to make posixGroup auxiliary?
> Are you using static or dynamic configuration?
> If you're using static configuration you simply omit nis.schema.
I'm using dynamic configuration (Debian Jessie).
> Note that rfc2307bis.schema requires a migration from old posixGroup
entries
> because the membership attribute also changes.
They have already used rfc2307bis with static configuration and commented
NIS out. They didn't use NIS, my bad. Nevertheless NIS is "included" in
dynamic configuration. NIS and rfc2307 are mutually exclusive.
The issue eased, since I can do without the rfc2307bis attributes,
essentially posixGroup and gidNumber.
Nevertheless, is there a way to use rfc2307bis with dynamic configuration?
Should one switch to static config. in this case?
- Chris
7 years, 7 months