May 2017 - openldap-technical

Re: Client binding to a specific local address

by Quanah Gibson-Mount

Ah I see. No such option at this time that I am aware of. --Quanah > On May 11, 2017, at 1:42 PM, Daniel Le <daniel.le(a)exfo.com> wrote: > > Indeed, similarly to "telnet -b <client-local-address>" or Microsoft LDAP client API function ldap_set_option(LDAP_OPT_SOCKET_BIND_ADDRESSES...) and my system is a multi-homed host. > > Daniel > > -----Original Message----- > From: Michael Ströder [mailto:michael@stroeder.com] > Sent: Thursday, May 11, 2017 4:26 PM > To: Quanah Gibson-Mount <quanah(a)symas.com>; Daniel Le <daniel.le(a)exfo.com>; 'openldap-technical(a)openldap.org' <openldap-technical(a)openldap.org> > Subject: Re: Client binding to a specific local address > > Quanah Gibson-Mount wrote: >> --On Thursday, May 11, 2017 6:38 PM +0000 Daniel Le <daniel.le(a)exfo.com> wrote: >>> Thanks for the answer, however the -h <URI/URL> appears to be a server >>> (slapd) option. I'm looking for the LDAP client side which uses OpenLDAP >>> libldap and liblber libraries. >> >> You may wish to more carefully read my response (Hint: -h and -H are not the same >> thing). You may also wish to refer to the man pages for client utilities such as >> ldapsearch, (which use the LDAP client side API). > > Maybe there's a misunderstanding: > > As I read it Daniel asks for setting the client's *out-going* IP address, something like > telnet -b <local-address>. Probably he's on a multi-homed host or has a more complicated > IP configuration and has to use a specific out-going address for getting his packets > accepted by the server. > > Ciao, Michael. >

6 years

2
1
0 / 0

RE: Client binding to a specific local address

by Quanah Gibson-Mount

--On Thursday, May 11, 2017 11:57 PM +0000 Daniel Le <daniel.le(a)exfo.com> wrote: > Thanks Quanah and Michael. I much appreciate your help. > > I am new to this list. How do I submit an enhancement request? Or would > you be willing to do it on behalf of the community? You can file the request at http://www.openldap.org/its/ If you wish to do the related work, then see also <http://www.openldap.org/devel/contributing.html> I would note there is no guarantee on if/when said feature would be implemented. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

6 years

1
0
0 / 0

Re: Error adding schema: empty AttributeDescription

by Quanah Gibson-Mount

--On Thursday, May 11, 2017 4:34 PM -0400 Prentice Bisbal <pbisbal(a)pppl.gov> wrote: > Is my perception wrong? Yes. You could, for example, to convert "test.schema" that had dependencies on core, cosine, and inetorgperson.schema do the following. a) Create a file named "/tmp/test.conf" with the following contents: include /opt/zimbra/openldap/etc/openldap/schema/core.schema include /opt/zimbra/openldap/etc/openldap/schema/cosine.schema include /opt/zimbra/openldap/etc/openldap/schema/inetorgperson.schema include /tmp/ldap/schema/test.schema b) mkdir -p /tmp/ldap c) slaptest -f /tmp/test.conf -F /tmp/ldap d) Go and grab your newly converted schema file. It will have been numbered in order as it appeared in the conf file, so you'll likely want to tweak it slight, and adjust the dn for adding it via ldapadd. Hope that helps! --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

6 years

2
1
0 / 0

RE: Client binding to a specific local address

by Quanah Gibson-Mount

--On Thursday, May 11, 2017 6:38 PM +0000 Daniel Le <daniel.le(a)exfo.com> wrote: > Thanks for the answer, however the -h <URI/URL> appears to be a server > (slapd) option. I'm looking for the LDAP client side which uses OpenLDAP > libldap and liblber libraries. You may wish to more carefully read my response (Hint: -h and -H are not the same thing). You may also wish to refer to the man pages for client utilities such as ldapsearch, (which use the LDAP client side API). --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

6 years

3
3
0 / 0

Re: Error adding schema: empty AttributeDescription

by Quanah Gibson-Mount

--On Thursday, May 11, 2017 2:07 PM -0700 Quanah Gibson-Mount <quanah(a)symas.com> wrote: > --On Thursday, May 11, 2017 4:34 PM -0400 Prentice Bisbal > <pbisbal(a)pppl.gov> wrote: > >> Is my perception wrong? > > Yes. You could, for example, to convert "test.schema" that had > dependencies on core, cosine, and inetorgperson.schema do the following. > > a) Create a file named "/tmp/test.conf" with the following contents: > > include /opt/zimbra/openldap/etc/openldap/schema/core.schema > include /opt/zimbra/openldap/etc/openldap/schema/cosine.schema > include /opt/zimbra/openldap/etc/openldap/schema/inetorgperson.schema > include /tmp/ldap/schema/test.schema Heh, adjust those paths of course to the actual locations of the core/cosine/inetorgperson schema files. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

6 years

1
0
0 / 0

RE: Client binding to a specific local address

by Quanah Gibson-Mount

--On Thursday, May 11, 2017 8:33 PM +0000 Daniel Le <daniel.le(a)exfo.com> wrote: > I'm working on an embedded LDAP application software that makes use of > the OpenLDAP client ldap and lber libraries, not the LDAP client > command-line utilities. For that reason, I didn't look into the client > utilities and narrowly thought of slapd -h (where -H option doesn't > exist). > > I see the client utilities ldapsearch, ldapadd, ldapmodify... have the > [-H ldapuri] option, but the library functions ldap_search, > ldap_search_ext, ldap_add, ldap_add_ext, ldap_modify, ldap_modify_ext, > etc. don't have an equivalent input argument. Is it correct that no > client library function supports specification of a local IP address? As I noted, the LDAP client tools all use the C API. Clearly you can pass in a URI when initializing the connection to create the filehandle that is later utilized by functions such as ldap_search, etc. I would strongly advise reading the ldap_open(3) man page, more specifically the ldap_initialize() function detailed there. I would also note that it is perfectly valid for "host" as described in the man page to be an IP address vs a literal hostname. My point in directing you to the clients is you can trivially see how they use the API to construct a connection, etc, using the LDAP C API. Hope that helps. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

6 years

1
0
0 / 0

Re: Error adding schema: empty AttributeDescription

by Quanah Gibson-Mount

--On Thursday, May 11, 2017 12:15 PM +0100 Sami <s.aitalioulahcen(a)cnrst.ma> wrote: > Hello, > > The attribute type description, as per RFC2252, requires a space before > the closing parenthesis. It might be what's causing the error. I'd also note it's generally recommended to use slaptest (as documented) to convert existing schema files to LDIF format, to avoid errors such as this. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

6 years

2
1
0 / 0

Re: Client binding to a specific local address

by Quanah Gibson-Mount

--On Wednesday, May 10, 2017 8:05 PM +0000 Daniel Le <daniel.le(a)exfo.com> wrote: > > > Hi, > > > > Is there an API to bind client to a local IP address? If not, how best to > directly handle a BER socket for such purpose? The reason is to direct > traffic to go through a specific interface of a host that has multiple > NICs. There is no option in ldap_set_option() for address binding. I > found the thread "listener question" from the OpenLDAP Technical > archives which asked a similar question, but not exactly the same. Use the IP address as the URI, like -H ldap://1.2.3.4:389 --quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

6 years

2
1
0 / 0

Error adding schema: empty AttributeDescription

by Prentice Bisbal

Hello, I'm in the middle of upgrading our existing LDAP servers to new systems running OpenLDAP 2.4.40 on CentOS 6.9. I have over 10 years of experience managing LDAP directories in relatively simple environments, but this is my first time trying to use the dynamic runtime configuration engine. I'm trying to add all the schemas I need with slapadd before I add a dump of the directory from our old servers with slapadd. I need a kerberos schema, so I copied the kerberos schema from /usr/share/doc/krb5-server-ldap-1.10.3/kerberos.ldif, to /etc/openldap/schema and modified it so it could be added with slapadd rather than ldapmodify, like all the other files in that directory. Here's an example of the start of the file after making those changes: dn: cn=kerberos,cn=schema,cn=config objectClass: olcSchemaConfig cn: kerberos olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.1.1 NAME 'krbPrincipalName' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.1 NAME 'krbCanonicalName' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE) olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.3.1 NAME 'krbPrincipalType' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) When I try to add that file with slapadd. I get this error: # slapadd -n0 -F /etc/openldap/slapd.d -l kerberos.ldif SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)): empty AttributeDescription slapadd: could not parse entry (line=1) _# 6.36% eta none elapsed none spd 18.6 M/s Closing DB... Running the same command debugging set to -1, I get the following: 59138493 => str2entry: "dn: cn=kerberos,cn=schema,cn=config objectClass: olcSchemaConfig cn: kerberos olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.1.1 NAME 'krbPrincipalName' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) " 59138493 >>> dnPrettyNormal: <cn=kerberos,cn=schema,cn=config> 59138493 <<< dnPrettyNormal: <cn=kerberos,cn=schema,cn=config>, <cn=kerberos,cn=schema,cn=config> 59138493 <= str2entry NULL (parse_line) SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)): empty AttributeDescription slapadd: could not parse entry (line=1) 59138493 slapadd shutdown: initiated 59138493 slapadd destroy: freeing system resources. Any ideas what I'm doing wrong? I made similar changes to an autofs schema file, and I was able to add that just fine. Do I need to number each olcAttributeType entry by putting a number in curly braces ({0}, {1,}, etc.) at the start of each olcAttributeTypes entry? -- Prentice

6 years

2
3
0 / 0

overlay ppolicy - atribute pwdhistory

by DÍEZ BARREIRO, ANA BELÉN

Hi, I am using ppolicy overlay and I don't want the user to change the password by setting the same value. If I put pwdinhistory = 1 then the new password can not be the same as the current one or the previous on (2 values). But with pwdinhistory = 0 you can put the same value. What would be the solution? Thanks!

6 years

2
2
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical May 2017