openldap-technical February 2016

openldap-technical@openldap.org

56 participants
68 discussions

Re: make posixGroup auxiliary in 2.4.40
by Chris 09 Feb '16

09 Feb '16

Michael StrÃ¶der wrote: > Chris wrote: >> I'm moving from OpenLDAP 2.2.x to 2.4.40 and have wasted hours trying to >> achieve the following: >> mailGroup (Postfix) is used as structural class, posixGroup (NIS) as auxiliary. >> Anyway. I can't add rfc2307bis schema, because NIS is already included. I've tried different methods to get rid of NIS, but they're not working. >> Is there any way to make posixGroup auxiliary? > Are you using static or dynamic configuration? > If you're using static configuration you simply omit nis.schema. I'm using dynamic configuration (Debian Jessie). > Note that rfc2307bis.schema requires a migration from old posixGroup entries > because the membership attribute also changes. They have already used rfc2307bis with static configuration and commented NIS out. They didn't use NIS, my bad. Nevertheless NIS is "included" in dynamic configuration. NIS and rfc2307 are mutually exclusive. The issue eased, since I can do without the rfc2307bis attributes, essentially posixGroup and gidNumber. Nevertheless, is there a way to use rfc2307bis with dynamic configuration? Should one switch to static config. in this case? - Chris

2 1

rebuilding the DIT
by Timothy Keith 09 Feb '16

09 Feb '16

How can I recreate the DIT using the output from slapcat ? I want to change the suffix when I do this. First, I ran slapcat: slapcat -v -l slapcat_backup.ldif Or just point me to the appropriate documentation. Tim

3 2

Authenticating mac users on ldap
by robert k Wild 09 Feb '16

09 Feb '16

Hi all, I want to know or if anyone has done it, i want to be able to login via my ldap user on a mac I know it works on linux as i have been able to login via ldap on my centos machine Also i have mounted my ldap server, (where all the home shares are) via autofs How can i get this to work Many thanks Rob

1 0

BINDDN in ~/.ldaprc ignored(?)
by Frank Thommen 09 Feb '16

09 Feb '16

Hi, BINDDN in ~/.ldaprc seems to be ignored or I'm doing something wrong. /etc/openldap/ldap.conf is empty. ~/.ldaprc is: $ cat ~/.ldaprc BINDDN <myBindDN> BASE <myBaseDN> URI ldaps://<myLDAPServer> TLS_REQCERT never $ ldapsearch returns an error if I don't declare the bindDN on the commandline: $ ldapsearch -W -v cn=xyz ldap_initialize( <DEFAULT> ) Enter LDAP Password: SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available) $ Using strace I can see, that ~/.ldaprc is accessed by ldapsearch. So either BINDDN is ignored or I am doing something wrong. but works happily with the bindDN on the commandline: $ ldapsearch -D <myBindDN> -W -v cn=xyz ldap_initialize( <DEFAULT> ) Enter LDAP Password: [... ldapsearch results ...] $ Using strace I can see, that ~/.ldaprc is accessed by ldapsearch. So either BINDDN is ignored or I am doing something wrong. This is with openSUSE 13.1 and ldapsearch 2.4.33. Cheers Frank

3 3

Re: BINDDN in ~/.ldaprc ignored(?)
by Frank Thommen 09 Feb '16

09 Feb '16

On 02/09/2016 02:22 PM, Michael Wandel wrote: > On 09.02.2016 10:28, Frank Thommen wrote: >> Hi, >> >> BINDDN in ~/.ldaprc seems to be ignored or I'm doing something wrong. >> >> /etc/openldap/ldap.conf is empty. >> >> ~/.ldaprc is: >> >> $ cat ~/.ldaprc >> BINDDN <myBindDN> >> BASE <myBaseDN> >> URI ldaps://<myLDAPServer> >> TLS_REQCERT never >> $ >> >> >> ldapsearch returns an error if I don't declare the bindDN on the >> commandline: >> >> $ ldapsearch -W -v cn=xyz >> ldap_initialize( <DEFAULT> ) >> Enter LDAP Password: >> SASL/GSSAPI authentication started >> ldap_sasl_interactive_bind_s: Local error (-2) >> additional info: SASL(-1): generic failure: GSSAPI Error: >> Unspecified GSS failure. Minor code may provide more information (No >> Kerberos credentials available) >> $ >> > > can you please check if > > ldapsearch -x -W -v cn=xyz > > is working ? That works fine f. > > best regards > michael > >> Using strace I can see, that ~/.ldaprc is accessed by ldapsearch. So >> either BINDDN is ignored or I am doing something wrong. >> >> but works happily with the bindDN on the commandline: >> >> $ ldapsearch -D <myBindDN> -W -v cn=xyz >> ldap_initialize( <DEFAULT> ) >> Enter LDAP Password: >> [... ldapsearch results ...] >> $ >> >> Using strace I can see, that ~/.ldaprc is accessed by ldapsearch. So >> either BINDDN is ignored or I am doing something wrong. >> >> This is with openSUSE 13.1 and ldapsearch 2.4.33. >> >> >> Cheers >> Frank >> > > -- Frank Thommen | HD-HuB / DKFZ Heidelberg | f.thommen(a)dkfz-heidelberg.de | TP3: +49-6221-42-3562 (Mo+Di) | IPMB: +49-6221-54-5823 (Mi-Do)

1 0

make posixGroup auxiliary in 2.4.40
by Chris 09 Feb '16

09 Feb '16

Dear All, I'm moving from OpenLDAP 2.2.x to 2.4.40 and have wasted hours trying to achieve the following: mailGroup (Postfix) is used as structural class, posixGroup (NIS) as auxiliary. Anyway. I can't add rfc2307bis schema, because NIS is already included. I've tried different methods to get rid of NIS, but they're not working. Is there any way to make posixGroup auxiliary? Thank you in advance. - Chris

2 1

Re: [OpenLDAP][Authentication] SASL
by Timothy Keith 08 Feb '16

08 Feb '16

On Mon, Feb 8, 2016 at 6:07 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Monday, February 08, 2016 6:04 PM -0600 Timothy Keith > <timothy.g.keith(a)gmail.com> wrote: > >> On Sun, Feb 7, 2016 at 6:55 AM, Michael Ströder <michael(a)stroeder.com> >> wrote: >>> >>> Timothy Keith wrote: >>>> >>>> How can I know that slapd was built with -enable-spasswd ? >>> >>> >>> By looking at the configure command in the build script, spec file in >>> source RPM or whatever produced the binary builds you're using. >>> >>> Ciao, Michael. >>> >> >> I extracted the files from the yum binary packages. It is 2.4.40-7. >> I don't think there is a way to determine what the configure options >> were at build time. > > > You need to download the *source* RPM not the *binary* RPM, as the source > RPM includes the SPEC file used to build OpenLDAP. > > --Quanah > > -- > > Quanah Gibson-Mount > Platform Architect > Zimbra, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration > A division of Synacor, Inc This was found in a spec file from the src RPM : ./openldap-2/openldap.spec %configure \ --enable-rlookups \ \ --with-tls=moznss \ --with-cyrus-sasl \ \ --enable-wrappers \ \ --enable-passwd \ \ --enable-cleartext \ --enable-crypt \ --enable-spasswd \ --disable-lmpasswd \ --enable-modules \ --disable-sql \ \ --libexecdir=%{_libdir} \ $@ Looks okay for pass-through. Thanks, Tim

1 0

Re: [OpenLDAP][Authentication] SASL
by Timothy Keith 08 Feb '16

08 Feb '16

The first attempt fails : ldapwhoami -v -ZZ -Y EXTERNAL ldap_initialize( <DEFAULT> ) ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate This also fails : ldapsearch -LLL -Y EXTERNAL -H ldaps:/// -b "" -s base + ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) Tim On Thu, Jan 21, 2016 at 7:43 PM, Sergio NNX <sfhacker(a)hotmail.com> wrote: >> My scenario is relatively simple. > Simple, but it doesn't work, right? > > Are you after something similar to the output below? > > ldapwhoami -v -ZZ -Y EXTERNAL > > SASL/EXTERNAL authentication started > SASL username: 2.5.4.13=End User Certificate (OpenLDAP > 2.4.43),2.5.4.5=1234-2015 > -UK,title=Mr,ou=Finance Department,o=MateAR.eu IT > Solutions,l=Westminster,st=Lon > don,c=GB,email=info(a)matear.eu,0.9.2342.19200300.100.1.1=Administrator,dc=EU,cn=A > dministrator > SASL SSF: 0 > dn:description=end user certificate (openldap > 2.4.43),serialNumber=1234-2015-uk, > title=mr,ou=finance department,o=matear.eu it > solutions,l=westminster,st=london, > c=gb,email=info(a)matear.eu,uid=administrator,dc=eu,cn=administrator > Result: Success (0) > > > ldapsearch -LLL -Y EXTERNAL -H ldaps:/// -b "" -s base + > > SASL/EXTERNAL authentication started > SASL username: 2.5.4.13=End User Certificate (OpenLDAP > 2.4.43),2.5.4.5=1234-2015 > -UK,title=Mr,ou=Finance Department,o=MateAR.eu IT > Solutions,l=Westminster,st=Lon > don,c=GB,email=info(a)matear.eu,0.9.2342.19200300.100.1.1=Administrator,dc=EU,cn=A > dministrator > SASL SSF: 0 > dn: > structuralObjectClass: OpenLDAProotDSE > configContext: cn=config > monitorContext: cn=Monitor > namingContexts: dc=my-domain,dc=com > supportedControl: 1.3.6.1.4.1.4203.1.9.1.1 > supportedControl: 2.16.840.1.113730.3.4.18 > supportedControl: 2.16.840.1.113730.3.4.2 > supportedControl: 1.3.6.1.4.1.4203.1.10.1 > supportedControl: 1.3.6.1.1.22 > supportedControl: 1.2.840.113556.1.4.319 > supportedControl: 1.2.826.0.1.3344810.2.3 > supportedControl: 1.3.6.1.1.13.2 > supportedControl: 1.3.6.1.1.13.1 > supportedControl: 1.3.6.1.1.12 > supportedExtension: 1.3.6.1.4.1.1466.20037 > supportedExtension: 1.3.6.1.4.1.4203.1.11.1 > supportedExtension: 1.3.6.1.4.1.4203.1.11.3 > supportedExtension: 1.3.6.1.1.8 > supportedFeatures: 1.3.6.1.1.14 > supportedFeatures: 1.3.6.1.4.1.4203.1.5.1 > supportedFeatures: 1.3.6.1.4.1.4203.1.5.2 > supportedFeatures: 1.3.6.1.4.1.4203.1.5.3 > supportedFeatures: 1.3.6.1.4.1.4203.1.5.4 > supportedFeatures: 1.3.6.1.4.1.4203.1.5.5 > supportedLDAPVersion: 3 > supportedSASLMechanisms: SRP > supportedSASLMechanisms: SCRAM-SHA-1 > supportedSASLMechanisms: GSSAPI > supportedSASLMechanisms: GSS-SPNEGO > supportedSASLMechanisms: DIGEST-MD5 > supportedSASLMechanisms: EXTERNAL > supportedSASLMechanisms: OTP > supportedSASLMechanisms: CRAM-MD5 > supportedSASLMechanisms: NTLM > supportedSASLMechanisms: LOGIN > supportedSASLMechanisms: PLAIN > entryDN: > subschemaSubentry: cn=Subschema >

5 10

OpenLDAP 2.4.44 RPM packages available on LTB project
by Clément OUDOT 08 Feb '16

08 Feb '16

Hi, LTB RPM packages for OpenLDAP 2.4.44 are available: http://ltb-project.org/wiki/download#packages_for_red_hatcentos Debian packages should follow soon. -- Clément OUDOT Consultant en logiciels libres, Expert infrastructure et sécurité Savoir-faire Linux

1 0

LMDB mmap usage
by Kristoffer Sjögren 06 Feb '16

06 Feb '16

Hi Our application do lots of caching using vmtouch, up to a point where there isn't a lot of memory left on the machine. We would like to use LMDB on the same machine to store around 40GiB data of a few hundred million entries. How can we best understand the interaction and behavior of the OS cache and sharing of memory between processes? Is LMDB doing something to help the OS? Cheers, -Kristoffer

3 7

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2016