Fwd: ppolicy and logging
by Maurice Barlow
Greetings, using 2.4.45 on Solaris 11 ( shipped with the distro ) with
ppolicy.
Working on the locking out of the accounts and want to configure detailed
messages pumped into syslog to track lockout activity.
At the moment what i see is only "errorno=49". Any ideas or a secure
log_level ?
cheers
MB
4 years, 11 months
Using ppolicy and autogroup to apply policy to a group a users
by Clément OUDOT
Hello,
we often have the question on this list: how apply a policy to a branch
or a group of users?
I was thinking we could use autogroup we this kind of configuration:
dn: olcOverlay={9}autogroup,olcDatabase={1}mdb,cn=config
objectClass: top
objectClass: olcConfig
objectClass: olcAutomaticGroups
objectClass: olcOverlayConfig
olcOverlay: {9}autogroup
olcAGattrSet: pwdPolicy memberUrl seeAlso
olcAGmemberOfAd: pwdPolicySubentry
The goal is to have a memberUrl inside a pwdPolicy object, that can
target accounts that need to have this policy. For example:
dn: cn=default,ou=ppolicies,dc=example,dc=com
changetype: modify
replace: memberURL
memberURL: ldap:///ou=users,dc=example,dc=com??one?(uid=user*)
The autogroup "olcAGattrSet" is working well, I can see the seeAlso
values. But the "olcAGmemberOfAd" does not seem to be applied.
I don't know if this is a conflict with ppolicy overlay, or other
overlays (dynlist, memberof). I join a full debug log, maybe you can
find what is going wrong. We see that
"autogroup_member_search_modify_cb" function is called, but user entry
is not modified.
Do you think this configuration could work?
--
Clément Oudot | Identity Solutions Manager
clement.oudot(a)worteks.com
Worteks | https://www.worteks.com
4 years, 11 months
oracle user authentication through OpenLDAP
by appana anil
We have recently replaced OID with OpenLDAP and looking to see if the
Oracle db user can authenticate through OpenLDAP.
Appreciate your help.
--
Regards,
A.Anil Kumar
4 years, 12 months
RE24 testing call (2.4.47) LMDB RE0.9 testing call (0.9.23)
by Quanah Gibson-Mount
This is expected to be the only testing call for 2.4.47, with an
anticipated release, depending on feedback, during the week of 2018/10/15.
Generally, get the code for RE24:
<http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=snapshot;h=refs...>
Configure & build.
Execute the test suite (via make test) after it is built. Optionally, cd
tests && make its to run through the regression suite.
Thanks!
OpenLDAP 2.4.47 Engineering
Added slapd-sock DN qualifier for subtrees to be processed (ITS#8051)
Added slapd-sock ability to send extended operations to external
listeners (ITS#8714)
Fixed libldap dn to domain parsing with bad input (ITS#8842)
Fixed slapd slapcat to correctly honor -g option (ITS#8667)
Fixed slapd cn=config when modifying slapo-syncprov config (ITS#8616)
Fixed slapd sasl authz-policy "all" behavior (ITS#8909)
Fixed slapd sasl minor typo (ITS#8918)
Fixed slapd to correctly hide hidden DBs in the rootDSE (ITS#8912)
Fixed slapd domainScope control to match Microsoft specification
(ITS#8840)
Fixed slapd-bdb/hdb/mdb to not convert certain IDLs to ranges (ITS#8868)
Fixed slapo-memberof cn=config modifications (ITS#8663)
Fixed slapo-syncprov with NULL modlist (ITS#8843)
Build Environment
Fixed missing includes with OpenSSL 1.0.2 (ITS#8809)
LMDB 0.9.23 Engineering
ITS#8756 Fix loose pages in dirty list
ITS#8831 Fix mdb_load flag init
ITS#8844 Fix mdb_env_close in forked process
Documentation
ITS#8857 mdb_cursor_del doesn't invalidate cursor
ITS#8908 GET_MULTIPLE etc don't change passed in key
Warm regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
4 years, 12 months
Making contextCSN, entryCSN visible only to sync user?
by Karsten Heymann
Hi,
I wonder if it would be harmful to modify our slapd acls so that only
the user used for syncrepl replication can view the
contextCSN/entryCSN attributes on the master servers. We're
considering this to prevent unintended partial replication (for
example without password fields) in case there is a misconfiguration
and the slave comes as another user/anomymous. Ideally I would block
anonymous access to our database completely but we have to update a
lot of services until this can be achieved. Does this idea make sense
or am I missing something?
Best regards
Karsten
4 years, 12 months
Q: Renewing certificates online
by Ulrich Windl
Hi!
I have a question: I updated the contents of certificate and key file (same location and file name) while slapd was running.
Is it expected that slapd will recognize (and use) the new certificates, or is a restart or reload needed? Out certificates will expire soon...
Regards,
Ulrich
4 years, 12 months
Re: slapo-memberof and Replication
by Meike Stone
Hello Quanah,
Thanks for clarification.
> > That confuses me a little bit.
> > All replication on openLDAP are based on syncreplication (slurpd is
> > vanished a long time ago)
> > So what kind of replication means the manual page (-> "Replica servers")?
>
> It means that you run it in a replicated environment at your own risk.
> Unfortunately, there is no defined standard for the "memberOf"
> functionality (it's a MS hack) and so there's nothing that details how it
> should or shouldn't behave with replication. In general, things work fine
> as long as:
>
> a) The server(s) never go into REFRESH
> and
> b) You never bring up a new replica with an empty database (which then does
> a full REFRESH)
That means, if I run in mirrormode, I can turn on the memberOf overlay
on the active openLDAP server and off on the slave.
Then REFESH ist supported?! In emegency case (hardware error) I can
make the mirror (manual) aktive an turn the overlay on?!
Thanks Meike
4 years, 12 months
Program of the Silver Jubilee Open LDAP Developper's Day
by Peter
please find attached the program of the Silver Jubilee Open LDAP
Developper's Day.
Last minute registration at odd-silverjubilee(a)daasi.de ist still possible.
Cheers
Peter
--
_______________________________________________________________________
Peter Gietz (CEO)
DAASI International GmbH phone: +49 7071 407109-0
Europaplatz 3 Fax: +49 7071 407109-9
D-72072 Tübingen mail: peter.gietz(a)daasi.de
Germany Web: www.daasi.de
DAASI International GmbH, Tübingen
Geschäftsführer Peter Gietz, Amtsgericht Stuttgart HRB 382175
Directory Applications for Advanced Security and Information Management
_______________________________________________________________________
4 years, 12 months