Re: How wold you go about writing a new OpenLDAP backend?
by Howard Chu
Michael Ströder wrote:
> Howard Chu wrote:
>> John Lewis wrote:
>>> What if I wanted to write a OpenLDAP backend for a systemd journal file
>>> or Elasticsearch so I can present my logs as an LDAP subtree so I can
>>> use my LDAP tools to filter my logs? Should I use back-shell for
>>> prototyping? If so, what is the usual work flow?
>>
>> back-shell might work for rough prototyping. back-sock would be more reasonable these
>> days.
>
> For prototyping a back-sock listener in Python you could give module slapdsock a try:
>
> https://pypi.python.org/pypi/slapdsock
>
> Personally I use it for OATH-LDAP's bind listeners which seem to work fairly robust on
> moderate load. But the release 0.5.2 should also work with all other request types.
>
> If you have a non-trivial deployment the sheer amount of log data can cause some
> interesting performance issues.
Indeed. Still it's an interesting idea; I've often thought about writing an
ElasticSearch replacement on top of OpenLDAP. In a native backend it would be
orders of magnitude faster than their stuff.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
6 years, 6 months
Re: Re: OpenLDAP / Active directory cohabitation
by Clément OUDOT
2017-05-30 8:10 GMT+02:00 Ulrich Windl <Ulrich.Windl(a)rz.uni-regensburg.de>:
> I have one question: Why is hte AD admin accound needed to authenticate? I see
> a problem with the AD admin password being stored in cleartext in the saslauthd
> configuration...
You don't need AD admin password, you just need a standard AD account
that can read user entries (no write access required).
Clément.
6 years, 6 months
Re: Antw: Re: OpenLDAP / Active directory cohabitation
by Dan White
On 05/30/17 08:10 +0200, Ulrich Windl wrote:
>>>> Clément OUDOT <clem.oudot(a)gmail.com> schrieb am 29.05.2017 um 20:43 in
>Nachricht
><CAK_oV4-DYo6d=LgWnu7foGkYQ4n9mjHiDbmo1t9uGyJT5e8EFQ(a)mail.gmail.com>:
>> 2017-05-29 19:00 GMT+02:00 Dan White <dwhite(a)cafedemocracy.org>:
>>> On 05/29/17 23:36 +0900, Alexandre Rosenberg wrote:
>>>>
>>>> I am in a environment where we use both OpenLDAP and Active Directory.
>>>> All Linux servers authenticate against OpenLDAP where we have user group,
>>>> unix group (...)
>>>
>>> Pass-through authentication should work if you're performing simple binds.
>>> Chapter 14 of the admin guide has a good example.
>>
>> You can also find a tutorial here:
>> https://ltb-project.org/documentation/general/sasl_delegation
>
>I have one question: Why is hte AD admin accound needed to authenticate? I see
>a problem with the AD admin password being stored in cleartext in the saslauthd
>configuration...
Here's a simpler approach that does not require storing a password:
https://www.openldap.org/lists/openldap-technical/201106/msg00198.html
This was tested against AD 2003. You may need to use ldaps with newer
versions.
--
Dan White
6 years, 6 months
ACL and Dynamic Groups
by Ivan Athanazio
Dear Members,
I have a problem that consists in allow a member of a group to manage
accounts that have a value in an attribute.
My organization structure is as the following example:
-Organization
--Branch1
---Branch1-HR
---Branch1-divisionA
---Branch2-divisionB
--Branch2
---Branch2-HR
The way that I figured out to make it work was using Dynamic Lists to group
users that have the attribute value.
So I activated the dynlists overlay and configured it.
My OpenLDAP DIT is as showed bellow:
-dc=something,dc=something2,dc=br
--ou=Group
---cn=s-brach1admin-rw
----dn=uid=user3,ou-People,dc=something,dc=something2,dc=br
---cn=branch1-users (dynamic group that contains DN's of users filtered by
departmentNumber=divisionA or departmentNumber=divisionB)
----dn=uid=user1,ou-People,dc=something,dc=something2,dc=br
----dn=uid=user2,ou-People,dc=something,dc=something2,dc=br
--ou=People
---uid=user1 (attr: inetorgperson departmentNumber=divisionA)
---uid=user2 (attr: inetorgperson departmentNumber=divisionB)
---uid=user3
So, now, I need an ACL that allow members of cn=s-branch1admin-rw to manage
user1, user2 and any other user that is in the dynamic group
cn=branch1-users.
I searched the web and didn't found any result that shows exactly how to
build this ACL. I tried some ways to write it, specially this two forms:
1) access to
dn.children="cn=branch1-users,dc=something,dc=something2,dc=br" by
set="[cn=s-branch1admin-rw,ou=Group,dc=something,dc=something2,dc=br]/member*"
manage
2) access to
dn.children="cn=branch1-users,dc=something,dc=something2,dc=br" by
group.exact="cn=s-branch1admin-rw,ou=Group,dc=something,dc=something2,dc=br"
manage
And some other forms and any of these appears to work.
So, If someone already did it or know about it, can help me with ACL and
Dynamic Groups?
Thanks for the help and for the patience with my long e-mail.
Best regards!
Ivan Athanazio
6 years, 6 months
Re: SIGPIPE on OS X fix still pending (ITS#8590)
by Quanah Gibson-Mount
--On Thursday, May 25, 2017 3:11 PM +0100 Lorenz Bauer <lmb(a)cloudflare.com>
wrote:
> Hello list / maintainers,
>
> I submitted http://www.openldap.org/its/index.cgi?findid=8590 back in
> February, and it's still pending. Could you have a look and let me
> know if the patch is acceptable?
Hi Lorenz,
Generally, we need secondary confirmation on the patch. I'm not aware of
anyone on the OpenLDAP development team that makes use of OSX, so we're not
really able to do that in this case. Some Apple employees used to lurk on
here, I don't know if they still do. Or perhaps there are others on the
list that can confirm.
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 6 months
Re: Can I do this with openldap ?
by Quanah Gibson-Mount
--On Friday, May 26, 2017 12:07 PM +0000 Roelof Wobben
<rwobben(a)hotmail.com> wrote:
>
>
> Thanks all. I use now Ubuntu 17.04 for the client and Ubuntu 16.06 LTS
> for the server.
>
>
>
> So as I understand LDAP can only be used for authentication and for
> autortication I have to look for other software.
LDAP can be used for both authz and authc if the software in question was
well written. If the software in question was poorly written, it probably
won't be possible. But that is not an LDAP limitation, that is a
limitation due to the software developer.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 6 months
Can I do this with openldap ?
by Roelof Wobben
Hello,
My boss wants to run everything from a server.
But he wants also that I can take care of that some of the software is only used by some people. So the cad software is only used by the drawers and not by the financial people.
Can I do this with openldap or if it cannot be done , which software can I then use the best.
I work on Ubuntu Server 16.04 LTS.
Regards,
Roelof
6 years, 6 months