Greetings, using 2.4.45 on Solaris 11 ( shipped with the distro ) with
Working on the locking out of the accounts and want to configure detailed
messages pumped into syslog to track lockout activity.
At the moment what i see is only "errorno=49". Any ideas or a secure
we often have the question on this list: how apply a policy to a branch
or a group of users?
I was thinking we could use autogroup we this kind of configuration:
olcAGattrSet: pwdPolicy memberUrl seeAlso
The goal is to have a memberUrl inside a pwdPolicy object, that can
target accounts that need to have this policy. For example:
The autogroup "olcAGattrSet" is working well, I can see the seeAlso
values. But the "olcAGmemberOfAd" does not seem to be applied.
I don't know if this is a conflict with ppolicy overlay, or other
overlays (dynlist, memberof). I join a full debug log, maybe you can
find what is going wrong. We see that
"autogroup_member_search_modify_cb" function is called, but user entry
is not modified.
Do you think this configuration could work?
Clément Oudot | Identity Solutions Manager
Worteks | https://www.worteks.com
This is expected to be the only testing call for 2.4.47, with an
anticipated release, depending on feedback, during the week of 2018/10/15.
Generally, get the code for RE24:
Configure & build.
Execute the test suite (via make test) after it is built. Optionally, cd
tests && make its to run through the regression suite.
OpenLDAP 2.4.47 Engineering
Added slapd-sock DN qualifier for subtrees to be processed (ITS#8051)
Added slapd-sock ability to send extended operations to external
Fixed libldap dn to domain parsing with bad input (ITS#8842)
Fixed slapd slapcat to correctly honor -g option (ITS#8667)
Fixed slapd cn=config when modifying slapo-syncprov config (ITS#8616)
Fixed slapd sasl authz-policy "all" behavior (ITS#8909)
Fixed slapd sasl minor typo (ITS#8918)
Fixed slapd to correctly hide hidden DBs in the rootDSE (ITS#8912)
Fixed slapd domainScope control to match Microsoft specification
Fixed slapd-bdb/hdb/mdb to not convert certain IDLs to ranges (ITS#8868)
Fixed slapo-memberof cn=config modifications (ITS#8663)
Fixed slapo-syncprov with NULL modlist (ITS#8843)
Fixed missing includes with OpenSSL 1.0.2 (ITS#8809)
LMDB 0.9.23 Engineering
ITS#8756 Fix loose pages in dirty list
ITS#8831 Fix mdb_load flag init
ITS#8844 Fix mdb_env_close in forked process
ITS#8857 mdb_cursor_del doesn't invalidate cursor
ITS#8908 GET_MULTIPLE etc don't change passed in key
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
I wonder if it would be harmful to modify our slapd acls so that only
the user used for syncrepl replication can view the
contextCSN/entryCSN attributes on the master servers. We're
considering this to prevent unintended partial replication (for
example without password fields) in case there is a misconfiguration
and the slave comes as another user/anomymous. Ideally I would block
anonymous access to our database completely but we have to update a
lot of services until this can be achieved. Does this idea make sense
or am I missing something?
I have a question: I updated the contents of certificate and key file (same location and file name) while slapd was running.
Is it expected that slapd will recognize (and use) the new certificates, or is a restart or reload needed? Out certificates will expire soon...
Thanks for clarification.
> > That confuses me a little bit.
> > All replication on openLDAP are based on syncreplication (slurpd is
> > vanished a long time ago)
> > So what kind of replication means the manual page (-> "Replica servers")?
> It means that you run it in a replicated environment at your own risk.
> Unfortunately, there is no defined standard for the "memberOf"
> functionality (it's a MS hack) and so there's nothing that details how it
> should or shouldn't behave with replication. In general, things work fine
> as long as:
> a) The server(s) never go into REFRESH
> b) You never bring up a new replica with an empty database (which then does
> a full REFRESH)
That means, if I run in mirrormode, I can turn on the memberOf overlay
on the active openLDAP server and off on the slave.
Then REFESH ist supported?! In emegency case (hardware error) I can
make the mirror (manual) aktive an turn the overlay on?!
please find attached the program of the Silver Jubilee Open LDAP
Last minute registration at odd-silverjubilee(a)daasi.de ist still possible.
Peter Gietz (CEO)
DAASI International GmbH phone: +49 7071 407109-0
Europaplatz 3 Fax: +49 7071 407109-9
D-72072 Tübingen mail: peter.gietz(a)daasi.de
Germany Web: www.daasi.de
DAASI International GmbH, Tübingen
Geschäftsführer Peter Gietz, Amtsgericht Stuttgart HRB 382175
Directory Applications for Advanced Security and Information Management