openldap-technical

openldap-technical@openldap.org

9897 discussions

ldapdelete: Invalid DN on an Accesslog generated DN
by Giuseppe Civitella 14 May '18

14 May '18

Hi all, while doing some tests to enable accesslog in my directory, I did enable the overlay and then disabled it because of login problems. Once restored the directory, I found a few entries like this: dn: reqStart=20180509102412.000000Z,BASEDN objectClass: auditModify structuralObjectClass: auditModify REQSTART: 20180509102412.000000Z REQEND: 20180509102412.000001Z REQTYPE: modify REQSESSION: 1679 REQAUTHZID: cn=admin,BASEDN REQDN: cn=gcivitella,ou=users,BASEDN REQRESULT: 0 REQMOD: description:= description utente gcivitella (update check accesslog) REQMOD: entryCSN:= 20180509102412.246481Z#000000#000#000000 REQMOD: modifiersName:= cn=admin,BASEDN REQMOD: modifyTimestamp:= 20180509102412Z REQENTRYUUID: 53620528-9276-1037-8c51-e5b01d96303b entryUUID: dc744658-e7be-1037-9c6f-71aa77ba1fb3 creatorsName: cn=admin,BASEDN createTimestamp: 20180509102412Z entryCSN: 20180509102412.246481Z#000000#000#000000 modifiersName: cn=admin,BASEDN modifyTimestamp: 20180509102412Z Now I'm unable to delete them. I get an "invalid DN" error: ldapdelete -D "cn=admin,BASEDN" -W -H ldap://127.0.0.1 -v "reqStart=20180509102412.000000Z,BASEDN" ldap_initialize( ldap://127.0.0.1:389/??base ) Enter LDAP Password: deleting entry "reqStart=20180509102412.000000Z,BASEDN" ldap_delete: Invalid DN syntax (34) additional info: invalid DN Is there a way to force the deletion or temporary disable the schema check? Best regards, Giuseppe

1 0

Search only few subtrees under baseDN
by Ervin Hegedüs 13 May '18

13 May '18

Hi, may be the subject doesn't give back my real quastion... and may be this is a returned topic... sorry. Scenario: there is a database with several DC's, all DC's divided to several OU's, and most OU contains several other OU's. dc=hu + dc=company1 + dc=company2 + dc = sub-company21 + ou = orgunit1 + ou = orgunit2 + ou = orgunit3 and there are several users. Take a look two examples: uid=admin1,ou=some-org,dc=sub-company21,dc=company2,dc=hu needs to read the ou=orgunit1 and ou=orgunit2. uid=admin2,ou=some-org,dc=sub-company21,dc=company2,dc=hu needs to read full dc=sub-company21 subtree. All of them are WORKING now as well with ACL's. But now, the admin1 user needs to set up two different connections in GUI browser, because he can't set up the dc=sub-company21,dc=company2,dc=hu as baseDN. When he uses the search through API, then he needs to make 2 different lookup to collect all nodes from DB, and merge them. Is there any way to set up one or more ACL's, where admin1 user can set up the dc=sub-company21,dc=company2,dc=hu as baseDN, and can start to search from there, but he will see the entries only from ou=orgunit1 and ou=orgunit2? Hope that's clear... Thanks, a.

3 6

How to present the memberOf attribute in a syncrepl setup?
by Robert Minsk 13 May '18

13 May '18

/-----------------------------------\ | master1 <- mirror repl -> master2 | \-----------------------------------/ ^ ^ ^ | | | syncrepl syncrepl syncrepl | | | /-------\ /-------\ /-------\ |cache01| |cache02| ... |cache n| \-------/ \-------/ \-------/ The master servers are using mirror replication and are behind a load balancer setup for active/passive failover. All writes go to the active master where the "member" attribute is maintained for the groups. The cache servers get their data from the master servers using syncrepl replication. All the end clients connect to the cache servers. I need to be able to present the memberOf attribute on users on the cache servers. The man page for slapo-memberof states that it is not compatible with syncrepl. Because of this the cache servers are using slapo-dynlist to create the memberOf attribute. The problem is since I am using a dynamic list I can not search using the memberOf attribute only query its value. I need to be able to search by the memberOf attribute. What is the recommended way generate the memberOf attribute? Should I modify the schema for a user and somehow maintain the memberOf attribute on the masters? I am a bit worried about this since looking at the slapo-memberOf source the memberOf attribute it is flagged as a DSAOperation.

1 0

About Openldap's functional testing
by 郦旺 12 May '18

12 May '18

To whom it may concern, I am a student who is interested in software reliability. After read the Administrator's Guide, I only found the tests like “make test” to test the build before installation. For the reason that I need to do some experiments, I wonder if there are some official functional tests against an existing Installation of OpenLDAP. Thanks, Wang

1 0

How to present the memberOf attribute in a syncrepl setup?
by Robert Minsk 12 May '18

12 May '18

/-----------------------------------\ | master1 <- mirror repl -> master2 | \-----------------------------------/ ^ ^ ^ | | | syncrepl syncrepl syncrepl | | | /-------\ /-------\ /-------\ |cache01| |cache02| ... |cache n| \-------/ \-------/ \-------/ The master servers are using mirror replication and are behind a load balancer setup for active/passive failover. All writes go to the active master where the "member" attribute is maintained for the groups. The cache servers get their data from the master servers using syncrepl replication. All the end clients connect to the cache servers. I need to be able to present the memberOf attribute on users on the cache servers. The man page for slapo-memberof states that it is not compatible with syncrepl. Because of this the cache servers are using slapo-dynlist to create the memberOf attribute. The problem is since I am using a dynamic list I can not search using the memberOf attribute only query its value. I need to be able to search by the memberOf attribute. What is the recommended way generate the memberOf atribute? Should I modify the schema for a user and somehow maintain the memberOf attribute on the masters? I am a bit worried about this since looking at the slapo-memberOf source the memberOf attribute it is flagged as a DSAOperation.

1 0

OpenLDAP, MySQL e MemberOf
by Arianna Milazzo 11 May '18

11 May '18

Hello! I installed openLDAP with MySQL. Now I don't know how can I do to use "memberOf" in my slapd.conf I added: overlay memberof > memberof-group-oc groupOfNames > memberof-member-ad member > memberof-memberof-ad memberOf > But in database? I tried to add member and memberon in ldap_attr_mappings... How can I do??? Thank you, Aria

1 0

SASL pass-through and changing passwords
by linux nuse 11 May '18

11 May '18

Hi, There was similar topic 5 years ago, but the problem wasn't completely solved. I've set `olcPasswordHash` to `{SASL}`, so ldappaswd is no longer smashing `userPassword` attribute. I get the same error which Tim Watts encountered 5 years ago. https://www.openldap.org/lists/openldap-technical/201302/msg00190.html namely, ldappaswd says: > Result: Other (e.g., implementation specific) error (80) > Additional info: scheme provided no hash function Tim wrote: > However, the kerberos principle does get updated - and userPassword is left alone. In my case I just get the error and the kerberos password is NOT updated. Also, 9 years ago it was asked (https://www.openldap.org/lists/openldap-software/200909/msg00010.html): > - salspasswd2 calls sasl_setpass(), and a look at OpenLDAP sources > shows that passwd_extop()/slap_sasl_setpass() does the same. That > suggests it is possible to have slapd doing the thing, but how does > it works? In passwd_extop(), slap_sasl_setpass() will only be > called if op-o_bd is NULL. In what situation does it happen? But the question is not answered. Does anyone remember how passwd_extop() works and how to get into the if-statement block with call to slap_sasl_setpass()?

1 0

Re: Optimal configuration for olcToolThreads and olcThreads
by Quanah Gibson-Mount 10 May '18

10 May '18

--On Thursday, May 10, 2018 1:10 PM -0700 rammohan ganapavarapu <rammohanganap(a)gmail.com> wrote: > > Quanah, > > > Thank you, i am using MDB, so do you recommend me to change it from 1 to > 2? by setting it to 2 will improve any performance? also this property > doesnt have any impact on replication (syncrepl) ? Again, the tool threads setting only affects slapadd. So it will improve the performance of slapadd if you set it to "2" instead of "1". Since it only affects offline operations, it has no effect on syncrepl. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: Optimal configuration for olcToolThreads and olcThreads
by Quanah Gibson-Mount 10 May '18

10 May '18

--On Thursday, May 10, 2018 12:58 PM -0700 rammohan ganapavarapu <rammohanganap(a)gmail.com> wrote: > > To add more to the previous query, what are the operations used > by olcToolThreads and what are by olcThreads? what does syncrepl > uses olcToolThreads or olcThreads? olcToolThreads is used by slapadd. What value it should be depends on the backend being used. If it is LMDB, then you want it to be no higher than 2. If you set it to more than 2, it'll be set to 2 internally. For other backends, such as back-bdb/hdb, it can result in significant improvement when loading data via slapadd. olcThreads controls how many threads are available to the slapd process. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

pwdRESET not working
by Net Warrior 08 May '18

08 May '18

Hello there guys, when setting the pwsReset to TRUE I cannot login to the system anymore, just get the permission denied, then I found this. https://github.com/pwm-project/pwm/issues/155 Did I face that bug or maybe it's something else? My system CentOS Linux release 7.4.1708 (Core) 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux openldap-servers-2.4.44-5.el7.x86_64 openssl-libs-1.0.2k-8.el7.x86_64 openldap-clients-2.4.44-5.el7.x86_64 openldap-2.4.44-5.el7.x86_64 objectClass: pwdPolicy objectClass: person objectClass: top pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 2 pwdFailureCountInterval: 30 pwdGraceAuthNLimit: 5 pwdInHistory: 5 pwdLockout: TRUE pwdMaxFailure: 5 pwdMinLength: 5 pwdSafeModify: FALSE sn: default structuralObjectClass: person pwdExpireWarning: 432000 pwdLockoutDuration: 1800 pwdMaxAge: 7776000 pwdMustChange: TRUE pwdMinAge: 0 Thanks Regards

2 1

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical