any working documentation?
by Dmitri Seletski
Hello.
I am new to the list, so if you gonna beat me with your feet - please
don't hit me in the face.
I did not find help/user list. So post here.
Where can I find working documentation for OpenLDAP?
Most current i found:
https://www.openldap.org/doc/admin24/quickstart.html
It says nothing of TLS encryption. I fail to start service
See output below:
TLSMC: MozNSS compatibility interception begins.
tlsmc_intercept_initialization: INFO: entry options follow:
tlsmc_intercept_initialization: INFO: cacertdir = `/etc/openldap/certs'
tlsmc_intercept_initialization: INFO: certfile = `OpenLDAP Server'
tlsmc_intercept_initialization: INFO: keyfile =
`/etc/openldap/certs/password'
tlsmc_convert: INFO: trying to open NSS DB with CACertDir =
`/etc/openldap/certs'.
tlsmc_open_nssdb: INFO: trying to initialize moznss using security dir
`/etc/openldap` prefix `certs`.
tlsmc_open_nssdb: WARN: could not initialize MozNSS context - error -8015.
tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration
is present.
tlsmc_intercept_initialization: INFO: altered options follow:
tlsmc_intercept_initialization: INFO: cacertdir = `/etc/openldap'
tlsmc_intercept_initialization: INFO: certfile = `OpenLDAP Server'
tlsmc_intercept_initialization: INFO: keyfile =
`/etc/openldap/certs/password'
tlsmc_intercept_initialization: INFO: successfully intercepted TLS
initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
TLS: could not use certificate `OpenLDAP Server'.
TLS: error:02001002:system library:fopen:No such file or directory
bss_file.c:402
TLS: error:20074002:BIO routines:FILE_CTRL:system lib bss_file.c:404
TLS: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
ssl_rsa.c:468
5d5af51b main: TLS init def ctx failed: -1
5d5af51b slapd destroy: freeing system resources.
5d5af51b slapd stopped.
5d5af51b connections_destroy: nothing to destroy.
Where can I submit errata to documentation maintainer?(as quick start
clearly doesn't work in my default install of OpenLDAP on CentOS 7)
And how can I start SLAPD without encryption?
I can generate self signed private/public key and make ln -s of my CA
cert folder to 'cacertdir = `/etc/openldap'', but this seems SOOO
unnecessary. At least on 'try out' step.
Thanks in advance
Dmitri
3 years, 9 months
BDB to LMDB migration and Linux kernel parameters
by openldap-technical@kolttonen.fi
Hello!
OpenLDAP Admin Guide says:
[LMDB] supports indexing like the BDB backends, but it uses no caching
and requires no tuning to deliver maximum search performance.
We are planning migration from deprecated BerkeleyDB to recommended LMDB.
Our OpenLDAP runs on RHEL7. Since the LMDB uses mmap() system calls, is it
necessary to tweak any Linux kernel parameters to allow better caching
etc.?
Thanks for any information.
Best regards,
Jokke Hämäläinen
3 years, 9 months
Re: OpenLDAP 2.3 to 2.4 Migration Question
by Razi Ahmad
Thanks, I'll do that.
--
Razi Ahmad
Director, IT Infrastructure Services
NYU Stern School of Business
14 East 4th Street, Room 327, New York, NY 10012
Phone: 212-998-0172 | Email: razi(a)stern.nyu.edu
Follow us on Twitter: @nyustern
An Education in *Possible*
On Tue, Aug 20, 2019 at 6:36 PM Quanah Gibson-Mount <quanah(a)symas.com>
wrote:
>
>
> --On Tuesday, August 20, 2019 7:32 PM -0400 Razi Ahmad <razi(a)stern.nyu.edu>
>
> wrote:
>
> >
> > Thanks, Quanah. I did that and see that memberof was populated. However,
> > I also noticed that the number of groups returned when I query for the
> > memberOf attribute on one account doesn't match the number of groups
> > returned when I search for all groups that this particular user is a
> > member of. Do you have any ideas what could be the cause of this mismatch
> > or where I should look when troubleshooting? I checked a few other
> > accounts and the numbers match.
>
> Hi Razi,
>
> Not without more information. What version of OpenLDAP 2.4 did you
> upgrade
> to? Are all the groups of the same objectClass type? I assume the other
> users are also in those same groups? You could try deleting and re-adding
> the user as a member to see if that resolves it.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
3 years, 9 months
Re: OpenLDAP 2.3 to 2.4 Migration Question
by Razi Ahmad
Thanks, Quanah. I did that and see that memberof was populated. However, I
also noticed that the number of groups returned when I query for the
memberOf attribute on one account doesn't match the number of groups
returned when I search for all groups that this particular user is a member
of. Do you have any ideas what could be the cause of this mismatch or where
I should look when troubleshooting? I checked a few other accounts and the
numbers match.
Thanks,
Razi
--
Razi Ahmad
Director, IT Infrastructure Services
NYU Stern School of Business
14 East 4th Street, Room 327, New York, NY 10012
Phone: 212-998-0172 | Email: razi(a)stern.nyu.edu
Follow us on Twitter: @nyustern
An Education in *Possible*
On Tue, Aug 20, 2019 at 4:31 PM Quanah Gibson-Mount <quanah(a)symas.com>
wrote:
>
>
> --On Tuesday, August 20, 2019 5:17 PM -0400 Razi Ahmad <razi(a)stern.nyu.edu>
>
> wrote:
>
> >
> > Hi,
> >
> >
> > I'm working on migrating from OpenLDAP 2.3 to 2.4. I've got my 2.4
> > provider set up and customized and have a copy of production data to
> > load. I'd like to know if there's any way to have the memberof attribute
> > populated during the process of loading the data. I used slapadd but when
> > I searched for a user, I didn't see the memberOf attribute. Prior to
> > running the slapadd command, I replaced the groupOfUniqueNames
> > objectClass with groupOfNames and the uniqueMember attribute with member
> > inside my LDIF file.
>
> You'll have to use ldapadd if you want memberOf populated.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
3 years, 9 months
OpenLDAP 2.3 to 2.4 Migration Question
by Razi Ahmad
Hi,
I'm working on migrating from OpenLDAP 2.3 to 2.4. I've got my 2.4 provider
set up and customized and have a copy of production data to load. I'd like
to know if there's any way to have the memberof attribute populated during
the process of loading the data. I used slapadd but when I searched for a
user, I didn't see the memberOf attribute. Prior to running the slapadd
command, I replaced the groupOfUniqueNames objectClass with groupOfNames
and the uniqueMember attribute with member inside my LDIF file.
Thanks.
--
Razi Ahmad
Director, IT Infrastructure Services
NYU Stern School of Business
14 East 4th Street, Room 327, New York, NY 10012
Phone: 212-998-0172 | Email: razi(a)stern.nyu.edu
Follow us on Twitter: @nyustern
An Education in *Possible*
3 years, 9 months
PPolicy: Multiple pwdGraceUseTime attributes
by Ulrich Windl
Hi!
I noticed that one user has multiple pwdGraceUseTime attributes like this:
pwdGraceUseTime: 20190409095627Z
pwdGraceUseTime: 20190605063107Z
pwdGraceUseTime: 20190614121258Z
pwdGraceUseTime: 20190723062401Z
I don't understand: Doesn't the pwdGraceUseTime record how long/often the user may login despite of an expired password?
For the example given, I assume the user has changed the password a few time since the inital grace login. So aren't the older pwdGraceUseTime attributes removed after the password was changed? Or can this happen if some admin chnages the password using some plain replace operation?
Regards,
Ulrich
3 years, 9 months
Re: Multi-master replication : read_config: no serverID / URL match found. Check slapd -h arguments.
by HG
Hi,
It is not as easy as you state it.
I have a 2nd set up
olcServerID: 1 ldap://abc1prdp01.abcgroup.com:1600
olcServerID: 2 ldap://abc2prdp01.abcgroup.com:1600
and
SLAPD_URLS="ldapi:/// ldap://:1600/"
This works too.
Op wo 14 aug. 2019 om 17:03 schreef Quanah Gibson-Mount <quanah(a)symas.com>:
>
>
> --On Wednesday, August 14, 2019 11:23 AM +0200 HG
> <hanspeter.sloot(a)gmail.com> wrote:
>
> >
> > olcServerID: 1 ldap://linux1014.ts.aa-srv.com
> > olcServerID: 2 ldap://linux1015.ts.aa-srv.com
>
> Neither of those has a trailing slash. You noted:
>
> SLAPD_URLS="ldapi:/// ldap://linux1014.ts.aa-srv.com/"
>
> doesn't start, but
>
> SLAPD_URLS="ldapi:/// ldap://linux1014.ts.aa-srv.com"
>
> starts.
>
> I would expect this. As I said before, it's a MATCH between what's
> provided in the olcServerID field and the -h option to slapd (SLAPD_URLS
> in
> your case). I.e., the software is functioning as documented. If you want
> it to match on the trailing slash, adjust your olcServerID values to
> include a trailing slash.
>
> Regards,
> Quanah
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
3 years, 9 months
use-case for arg const char *dn of ldap_sasl_bind_s()
by Michael Ströder
HI!
It seems I've never passed a DN to SASL bind functions.
Could someone please elaborate on a valid use-case for argument dn of
libldap function ldap_sasl_bind_s()?
Thanks in advance.
Ciao, Michael.
3 years, 9 months
