I'm using OpenLdap 2.4.44 with delta-replication. At the master node i get the error messages.
RESULT tag=103 err=19 text=Password is in history of old password
at the slave node
RESULT tag=103 err=19 text=
Are any way to get full text message at the slave node
Is it possible to integrate two OpenLDAP servers so that some users
(filtered by some criteria) are replicated from one server to another
(but not vice versa)?
Does OpenLDAP provide some functionalties for this or must I write a
cron scheduled shell script utilizing ldapsearch and ldapmodify?
Any advice or configuration example is appreciated.
While trying to reset a user's password, I am getting the below error:
ldap_modify: Undefined attribute type (17)
additional info: pwdReset: attribute type undefined
the same script runs fine on our other LDAP server, your thoughts?
Here is a copy of the ldif file:
Senior Software Engineer
Operations Transformation, Real-time Automation & Predictive Insights<http://mysolutions.dev.att.com/GNFO_Solutions/index.jsp> "RAPID"
Certified Quality Eng. - ISO 9000/1
Six Sigma - Yellow Belt
1010 Pine ST. Shared, St. Louis, MO. 63101
m 636.639.0713 | o 314.335.3158 | ec4397(a)att.com<mailto:email@example.com>
I have installed the LDAP Tool Box version of OpenLDAP on Centos8 for the purpose of a proxy to AD. My proxy needs to "translate" from our old AD domain to our new AD domain (I hate company name changes!).
We have some software that access our old domain with certain credentials, does searches for groups and users then binds as the appropriate user to authenticate the user.
From this legacy system I need to be able to:
1. Bind to the proxy with credentials I can't change. These look like user "special-user(a)old.com". (Not a typical DN, looks more like a user principal).
2. Search a particular subtree for users and bind as that user to authenticate.
3. Search another subtree for groups and use an ad-style membership check to determine who is a user, who is an admin, etc.
I need to be able to authenticate for the searching using the above special user, but the proxy operation should use a different set of credentials when searching the backend. I also need to translate subtrees and possibly individual DNs.
This is my (sanitized) slapd.conf:
index objectClass eq
suffixmassage "ou=old-tree,DC=old-domain,DC=com" "ou=new-tree,DC=new-domain,DC
I figured out what I think should be done in translating domains, subtrees, etc.
What I can't figure out is how to accept the "special-user(a)old.com" on the front and then use another "Service Account" through the backed so I can search for users.
Once the frontend rebinds with the user's credentials, that needs to pass through.
Can anyone help me have a "split personality" when it comes to authentication?
Gary A. Algier
This e-mail message may contain confidential or proprietary information of Mavenir Systems, Inc. or its affiliates and is intended solely for the use of the intended recipient(s). If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies in your control and contact us by e-mailing to security(a)mavenir.com. This message contains the views of its author and may not necessarily reflect the views of Mavenir Systems, Inc. or its affiliates, who employ systems to monitor email messages, but make no representation that such messages are authorized, secure, uncompromised, or free from computer viruses, malware, or other defects. Thank You
I am migrating to delta-syncrepl and have a couple questions.
I currently back-up my data.mdb file for restore purposes (using mdb_copy).
Now that I am using delta-syncrepl, do I also need to be concerned with the accesslog data.mdb file in the event of a restore?
What is the sync behavior of a consumer if it is configured to use delta-syncrepl and the provider is restored but not the accesslog?(i.e. the accesslog would be new on initial start of slapd after a restore)?
Files in question:
Thanks for any input,