openldap-technical April 2020

openldap-technical@openldap.org

33 participants
35 discussions

Specific outgoing IP for syncrepl
by Dale Thompson - NOAA Federal 24 Apr '20

24 Apr '20

I've been using openldap's multi-master syncrepl based sync for years and it works great. But, I would like to be able to specify which IP on a multi-IP system syncrepl makes outgoing connections to other members of the sync cluster. On my multi-IP servers I am able to get slapd to only bind to a specific IP with the appropriate -h option. That works fine. But, outgoing syncrepl connections come from the primary IP on the server. Can anyone suggest a way to specify which IP syncrepl will use to make outgoing replication queries? -- Dale James Thompson, NWS Radar Operations Center IT Specialist, Configuration Management Team 1313 Halley Circle Norman, OK 73069 Voice (405) 573-3472 Fax (405) 573-3480 Dale.J.Thompson(a)noaa.gov

3 3

Re: Openldap Master-Slave setup
by Quanah Gibson-Mount 23 Apr '20

23 Apr '20

--On Thursday, April 23, 2020 10:45 AM -0700 rammohan ganapavarapu <rammohanganap(a)gmail.com> wrote: > > > Quanah, > > > Thanks for quick response, with the above configuration does ldapadd on > slave through referral error message? We configured referral in slave > but when we did ldapadd its not throwing referral error but just > accepting the request, is it expected? i read in some other post where > user get below error in case of referral configured. I don't know what you were reading or if it's even related to OpenLDAP. As I said, it's up to clients to follow referrals if one is returned. The ldap* clients do not follow referrals. If you want the consumer to forward updates to the provider on the writer's behalf, then you need to configure chaining as I already stated. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: Openldap Master-Slave setup
by Quanah Gibson-Mount 23 Apr '20

23 Apr '20

--On Thursday, April 23, 2020 9:11 AM -0700 rammohan ganapavarapu <rammohanganap(a)gmail.com> wrote: > Any idea? If this is not the right way to do, can you please point me to > a correct procedure? It is on clients to follow referrals if they are returned. If you want the consumer to forward the updates to the provider, then you need to configure chaining. man slapo-chain(5). Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: argon2, available as of what release?
by bitsof info 21 Apr '20

21 Apr '20

awesome, when might that be out? On Tue, Apr 21, 2020 at 1:34 PM Quanah Gibson-Mount <quanah(a)symas.com> wrote: > > > --On Tuesday, April 21, 2020 1:28 PM -0700 Quanah Gibson-Mount > <quanah(a)symas.com> wrote: > > > It will be a part of the 2.5 release series. However, I believe Ryan has > > backported it to 2.4 for the Debian builds. > > I just discussed with Howard, we'll be adding it to the 2.4.50 release. > > Regards, > Quanah > > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> >

2 1

argon2, available as of what release?
by bitsof info 21 Apr '20

21 Apr '20

Hi, Trying to follow as of what OpenLdap release is the argon2 support made available? Looking here it looks like it was originally committed 3 years ago w/ recent updates 5 months ago: https://git.openldap.org/openldap/openldap/-/commits/af5ed7c6e27d596dbed440… But here in releases I don't see it mentioned: https://www.openldap.org/software/release/changes.html What minimum version of OpenLdap should I be running to have the argon2 support w/ the latest commit mentioned here? https://git.openldap.org/openldap/openldap/-/commit/af5ed7c6e27d596dbed440c… >= 2.4.45 for argon2 support? >= 2.4.49 for argon2 support w/ libsodium changes? also anyone know of a centos 7 package w/ all these pw contrib (argon2) module already built in it? thanks

2 2

RE: [External] RE: Problem using ldapsearch across forests with trust
by Quanah Gibson-Mount 16 Apr '20

16 Apr '20

--On Thursday, April 16, 2020 11:37 PM +0000 "Kleber S. Carvalho" <kleber.s.carvalho(a)avanade.com> wrote: > Hello, Quanah! > > I really appreciate your engagement in this case. > > Please help me understand if the client can validate the AD scenario with > the ldapsearch tool or not, or if ldapsearch is not supported in the > forest. You might need to see what options the Java program is using. For example, is it following referrals? Again, AD is not LDAP and so what you're talking about is really not LDAP related. There are no "forests" in LDAP, etc. Please stop CCing bugs(a)openldap.org Please don't send attachments to openldap-technical (your emails get dropped if you do). --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

RE: Problem using ldapsearch across forests with trust
by Quanah Gibson-Mount 16 Apr '20

16 Apr '20

--On Thursday, April 16, 2020 2:10 PM +0000 "Kleber S. Carvalho" <kleber.s.carvalho(a)avanade.com> wrote: > First, we performed a valid test by performing authentication and a > simple query directly to the minca.com domain, with the command: > > ldapsearch -H 'LDAP: //minca.com: 3268' -D 'cn = Administrator, cn = > users, dc = minca, dc = with' -w Avanade @ 2020! -b 'cn = users, dc = > minca, dc = com' > > However, when performing this procedure and authenticating the user > minca(a)minca.com in the child.klabs.com domain using the ldapsearch tool, > the result was an error according to file > 7_openldaperror_indirectaccess.JPG stating invalid credentials. Expected I would think, if using a simple bind. > However, a .net application was created to perform this same function and > it worked, as per file 9_dotNetApp_success.JPG. AD is not LDAP. > Finally, the conclusion we are reaching is that the openldap tool does > not work directly between forests, but only on the same tree. We would > like to know if this understanding is correct or if this is really a bug > in the tool. AD is not LDAP. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

rootdn & password policy
by Hannah Chenh 15 Apr '20

15 Apr '20

Hello, I have a question related to rootdn and password policy. I understand that the rootdn can bypass all restrictions. We have a requirement to bypass a password policy for the admin user. Is there a way to create the admin user so that this user can have the same privilege as rootdn and I don't need to bind as rootdn in my application? Currently I have granted the following to the admin_user: === dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcAccess olcAccess: {0}to attrs=userPassword by self write by anonymous auth by dn.base="cn=Manager,dc=abcdomain,dc=com" write by dn.base="uid=admin_user,ou=Service Accounts,dc=abcdomain,dc=com" write by * none olcAccess: {1}to * by self write by dn.base="cn=Manager,dc=abcdomain,dc=com" write by dn.base="uid=admin_user,ou=Service Accounts,dc=abcdomain,dc=com" write by * read === Any help would be appreciated. Thanks, Hannah

5 7

Class-of-service type of feature in OpenLDAP?
by Nick Folino 15 Apr '20

15 Apr '20

I'm moving from ODSEE to OpenLDAP and need to replace our current method of assigning password policies. We're using class-of-service. Is there any way to replicate this in OpenLDAP? Basically I want to assign a virtual attribute (pwdpolicysubentry) based on the value of another attribute (objectclass). For example users with objectclass: x would have pwdpolicysubentry:x and users with objectclass: y would have pwdpolicysubentry:y Thanks, Nick

1 0

Re: [EXT] Re: Clarification of LMDB transaction behaviour
by Ulrich Windl 14 Apr '20

14 Apr '20

On 4/9/20 7:33 PM, Howard Chu wrote: [...] > Tracking the existence of transactions in a language binding is almost certainly a wrong thing > to do, completely unnecessary. MHO: Actually as you must either abort or commit any transaction, any long-running application would need to keep track of active transactions. Complex control flows may need such. How does LMDB react if you try to abort a committed transaction, or trying to commit an aborted transaction (the other two cases should be idempontent, hopefully)? Such tings could happen easily if the application does not track the state of active transactions. >> >> Thanks in advance, >> >> -- >> Dorian Taylor >> Make things. Make sense. >> https://doriantaylor.com >> > >

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2020