openldap-technical May 2017

openldap-technical@openldap.org

45 participants
79 discussions

Re: How wold you go about writing a new OpenLDAP backend?
by Howard Chu 31 May '17

31 May '17

Michael Ströder wrote: > Howard Chu wrote: >> John Lewis wrote: >>> What if I wanted to write a OpenLDAP backend for a systemd journal file >>> or Elasticsearch so I can present my logs as an LDAP subtree so I can >>> use my LDAP tools to filter my logs? Should I use back-shell for >>> prototyping? If so, what is the usual work flow? >> >> back-shell might work for rough prototyping. back-sock would be more reasonable these >> days. > > For prototyping a back-sock listener in Python you could give module slapdsock a try: > > https://pypi.python.org/pypi/slapdsock > > Personally I use it for OATH-LDAP's bind listeners which seem to work fairly robust on > moderate load. But the release 0.5.2 should also work with all other request types. > > If you have a non-trivial deployment the sheer amount of log data can cause some > interesting performance issues. Indeed. Still it's an interesting idea; I've often thought about writing an ElasticSearch replacement on top of OpenLDAP. In a native backend it would be orders of magnitude faster than their stuff. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

3 2

Re: How wold you go about writing a new OpenLDAP backend?
by Howard Chu 31 May '17

31 May '17

John Lewis wrote: > What if I wanted to write a OpenLDAP backend for a systemd journal file > or Elasticsearch so I can present my logs as an LDAP subtree so I can > use my LDAP tools to filter my logs? Should I use back-shell for > prototyping? If so, what is the usual work flow? back-shell might work for rough prototyping. back-sock would be more reasonable these days. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

2 1

Re: SIGPIPE on OS X fix still pending (ITS#8590)
by Lorenz Bauer 31 May '17

31 May '17

Hello Quanah, On 26 May 2017 at 20:36, Quanah Gibson-Mount <quanah(a)symas.com> wrote: > Generally, we need secondary confirmation on the patch. That makes sense. I've written a test program which exercises the different ways of generating SIGPIPE, available at [1]. This should make verifying the patch easier. I'll also update the ITS. Best, Lorenz 1: https://gist.github.com/lmb/a35e7b9566fa79e7bf971ac21bbb9efb -- Lorenz Bauer | Systems Engineer 25 Lavington St., London SE1 0NZ www.cloudflare.com

1 0

Re: Re: OpenLDAP / Active directory cohabitation
by Clément OUDOT 30 May '17

30 May '17

2017-05-30 8:10 GMT+02:00 Ulrich Windl <Ulrich.Windl(a)rz.uni-regensburg.de>: > I have one question: Why is hte AD admin accound needed to authenticate? I see > a problem with the AD admin password being stored in cleartext in the saslauthd > configuration... You don't need AD admin password, you just need a standard AD account that can read user entries (no write access required). Clément.

1 0

Re: Antw: Re: OpenLDAP / Active directory cohabitation
by Dan White 30 May '17

30 May '17

On 05/30/17 08:10 +0200, Ulrich Windl wrote: >>>> Clément OUDOT <clem.oudot(a)gmail.com> schrieb am 29.05.2017 um 20:43 in >Nachricht ><CAK_oV4-DYo6d=LgWnu7foGkYQ4n9mjHiDbmo1t9uGyJT5e8EFQ(a)mail.gmail.com>: >> 2017-05-29 19:00 GMT+02:00 Dan White <dwhite(a)cafedemocracy.org>: >>> On 05/29/17 23:36 +0900, Alexandre Rosenberg wrote: >>>> >>>> I am in a environment where we use both OpenLDAP and Active Directory. >>>> All Linux servers authenticate against OpenLDAP where we have user group, >>>> unix group (...) >>> >>> Pass-through authentication should work if you're performing simple binds. >>> Chapter 14 of the admin guide has a good example. >> >> You can also find a tutorial here: >> https://ltb-project.org/documentation/general/sasl_delegation > >I have one question: Why is hte AD admin accound needed to authenticate? I see >a problem with the AD admin password being stored in cleartext in the saslauthd >configuration... Here's a simpler approach that does not require storing a password: https://www.openldap.org/lists/openldap-technical/201106/msg00198.html This was tested against AD 2003. You may need to use ldaps with newer versions. -- Dan White

1 0

ACL and Dynamic Groups
by Ivan Athanazio 28 May '17

28 May '17

Dear Members, I have a problem that consists in allow a member of a group to manage accounts that have a value in an attribute. My organization structure is as the following example: -Organization --Branch1 ---Branch1-HR ---Branch1-divisionA ---Branch2-divisionB --Branch2 ---Branch2-HR The way that I figured out to make it work was using Dynamic Lists to group users that have the attribute value. So I activated the dynlists overlay and configured it. My OpenLDAP DIT is as showed bellow: -dc=something,dc=something2,dc=br --ou=Group ---cn=s-brach1admin-rw ----dn=uid=user3,ou-People,dc=something,dc=something2,dc=br ---cn=branch1-users (dynamic group that contains DN's of users filtered by departmentNumber=divisionA or departmentNumber=divisionB) ----dn=uid=user1,ou-People,dc=something,dc=something2,dc=br ----dn=uid=user2,ou-People,dc=something,dc=something2,dc=br --ou=People ---uid=user1 (attr: inetorgperson departmentNumber=divisionA) ---uid=user2 (attr: inetorgperson departmentNumber=divisionB) ---uid=user3 So, now, I need an ACL that allow members of cn=s-branch1admin-rw to manage user1, user2 and any other user that is in the dynamic group cn=branch1-users. I searched the web and didn't found any result that shows exactly how to build this ACL. I tried some ways to write it, specially this two forms: 1) access to dn.children="cn=branch1-users,dc=something,dc=something2,dc=br" by set="[cn=s-branch1admin-rw,ou=Group,dc=something,dc=something2,dc=br]/member*" manage 2) access to dn.children="cn=branch1-users,dc=something,dc=something2,dc=br" by group.exact="cn=s-branch1admin-rw,ou=Group,dc=something,dc=something2,dc=br" manage And some other forms and any of these appears to work. So, If someone already did it or know about it, can help me with ACL and Dynamic Groups? Thanks for the help and for the patience with my long e-mail. Best regards! Ivan Athanazio

1 0

Re: SIGPIPE on OS X fix still pending (ITS#8590)
by Quanah Gibson-Mount 26 May '17

26 May '17

--On Thursday, May 25, 2017 3:11 PM +0100 Lorenz Bauer <lmb(a)cloudflare.com> wrote: > Hello list / maintainers, > > I submitted http://www.openldap.org/its/index.cgi?findid=8590 back in > February, and it's still pending. Could you have a look and let me > know if the patch is acceptable? Hi Lorenz, Generally, we need secondary confirmation on the patch. I'm not aware of anyone on the OpenLDAP development team that makes use of OSX, so we're not really able to do that in this case. Some Apple employees used to lurk on here, I don't know if they still do. Or perhaps there are others on the list that can confirm. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: Can I do this with openldap ?
by Quanah Gibson-Mount 26 May '17

26 May '17

--On Friday, May 26, 2017 12:07 PM +0000 Roelof Wobben <rwobben(a)hotmail.com> wrote: > > > Thanks all. I use now Ubuntu 17.04 for the client and Ubuntu 16.06 LTS > for the server. > > > > So as I understand LDAP can only be used for authentication and for > autortication I have to look for other software. LDAP can be used for both authz and authc if the software in question was well written. If the software in question was poorly written, it probably won't be possible. But that is not an LDAP limitation, that is a limitation due to the software developer. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Can I do this with openldap ?
by Roelof Wobben 26 May '17

26 May '17

Hello, My boss wants to run everything from a server. But he wants also that I can take care of that some of the software is only used by some people. So the cad software is only used by the drawers and not by the financial people. Can I do this with openldap or if it cannot be done , which software can I then use the best. I work on Ubuntu Server 16.04 LTS. Regards, Roelof

6 6

SIGPIPE on OS X fix still pending (ITS#8590)
by Lorenz Bauer 25 May '17

25 May '17

Hello list / maintainers, I submitted http://www.openldap.org/its/index.cgi?findid=8590 back in February, and it's still pending. Could you have a look and let me know if the patch is acceptable? Best, Lorenz -- Lorenz Bauer | Systems Engineer 25 Lavington St., London SE1 0NZ www.cloudflare.com

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical May 2017