openldap-technical

openldap-technical@openldap.org

9897 discussions

Re: uidNumber for Service Accounts?
by Douglas Duckworth 25 Oct '17

25 Oct '17

Thanks Michael! No, we do not have uidNumber-based ACLs only DN based. I will remove the uidNumber. Thanks Doug Thanks, Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: doug(a)med.cornell.edu O: 212-746-6305 F: 212-746-8690 On Wed, Oct 25, 2017 at 9:55 AM, Michael Ströder <michael(a)stroeder.com> wrote: > Douglas Duckworth wrote: > > Do I need uidNumber for Service Accounts used for application / server > > binding if this user won't actually be resolved by sssd or nslcd? > > In general if your client only binds to the LDAP server it doesn't need > 'uidNumber' attribute. It just needs a bind-DN and a password in its > config. I assume though that your LDAP server does not have ACLs based > uidNumber-based filter affecting your client. > > And I don't know whether something else in your deployment needs it. > This only you can find out. > > Ciao, Michael. > >

1 0

Re: [EXTERNAL] pwdPolicySubentry: value #0 already exists
by Douglas Duckworth 25 Oct '17

25 Oct '17

Thanks so much, Jon! I can see it clearly now! # Service Accounts, domain dn: ou=Service Accounts,domain # g14classified, Service Accounts, domain dn: uid=g14classified,ou=Service Accounts,domain pwdPolicySubentry: cn=CustomBindAccountPolicy,ou=Policies,domain Thanks, Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: doug(a)med.cornell.edu O: 212-746-6305 F: 212-746-8690 On Wed, Oct 25, 2017 at 9:34 AM, Jon C Kidder <jckidder(a)aep.com> wrote: > pwdPolicySubentry is an operational attribute. It will not be returned in > search results unless you explicitly request it or use + in your requested > attribute list. > > > > If you change the add to a replace in your ldif file your modify operation > should succeed. > > > > > <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.aep.com_&d=DwMGaQ&c…> > > *JON C KIDDER* | *MIDDLEWARE ADMINISTRATOR LEAD* > JCKIDDER(a)AEP.COM | D:614.716.4970 <(614)%20716-4970> > 1 RIVERSIDE PLAZA, COLUMBUS, OH 43215 > <https://maps.google.com/?q=1+RIVERSIDE+PLAZA,+COLUMBUS,+OH+43215&entry=gmai…> > > > > *From:* openldap-technical [mailto:openldap-technical-bounces@openldap.org] > *On Behalf Of *Douglas Duckworth > *Sent:* Wednesday, October 25, 2017 9:24 AM > *To:* Openldap Technical > *Subject:* [EXTERNAL] pwdPolicySubentry: value #0 already exists > > > > This is an EXTERNAL email. STOP. THINK before you CLICK links or OPEN > attachments. If suspicious please forward to incidents(a)aep.com for review. > ------------------------------ > > Hi > > > > I am trying to make sure my bind Service Account's password does not > expire. I set this in ou=Policies with the intention that the policy would > only be applied to this user: > > > > # Policies, domain > > dn: ou=Policies,domain > > ou: Policies > > objectClass: organizationalUnit > > > > # CustomBindAccountPolicy, Policies, domain > > dn: cn=CustomBindAccountPolicy,ou=Policies,domain > > objectClass: person > > objectClass: top > > cn: passwordDefault > > cn: CustomBindAccountPolicy > > sn: passwordDefault > > pwdAttribute: userPassword > > pwdMinAge: 0 > > pwdMaxAge: 0 > > pwdLockout: FALSE > > > > However, I do not see this dn referenced on the user: > > > > # importantuser, Service Accounts, domain > > dn: uid=importantuser,ou=Service Accounts,domain > > objectClass: top > > objectClass: account > > objectClass: posixAccount > > objectClass: extensibleObject > > uid: binduser > > cn: bind > > sn: user > > givenName: binduser > > title: Account > > loginShell: /dev/null > > uidNumber: 123 > > gidNumber: 456 > > homeDirectory: /dev/null > > description: Service Account > > userPassword:: password123 > > > > When I try to add using ldapadd and this ldif: > > > > dn: uid=importantuser,ou=Service Accounts,domain > > changetype: modify > > add: pwdPolicySubentry > > pwdPolicySubentry: cn=CustomBindAccountPolicy,ou= > Policies,dc=davinci,dc=med,dc=cornell,dc=edu > > > > I get this error: > > me@nsa[~/ldap]$ ladd server.ldif > > > > Enter LDAP Password: > > modifying entry "uid=importantuser,ou=Service Accounts,domain" > > ldap_modify: Type or value exists (20) > > additional info: modify/add: pwdPolicySubentry: value #0 already > exists > > > > Do you have any idea what could be happening? My ACL's allow the binduser > to see everything so I don't understand what's happening. > > > > Thank you very much! > > > > > Thanks, > > > Douglas Duckworth, MSc, LFCS > HPC System Administrator > Scientific Computing Unit > > Physiology and Biophysics > > Weill Cornell Medicine > > E: doug(a)med.cornell.edu > O: 212-746-6305 <(212)%20746-6305> > F: 212-746-8690 <(212)%20746-8690> >

1 0

pwdPolicySubentry: value #0 already exists
by Douglas Duckworth 25 Oct '17

25 Oct '17

Hi I am trying to make sure my bind Service Account's password does not expire. I set this in ou=Policies with the intention that the policy would only be applied to this user: # Policies, domain dn: ou=Policies,domain ou: Policies objectClass: organizationalUnit # CustomBindAccountPolicy, Policies, domain dn: cn=CustomBindAccountPolicy,ou=Policies,domain objectClass: person objectClass: top cn: passwordDefault cn: CustomBindAccountPolicy sn: passwordDefault pwdAttribute: userPassword pwdMinAge: 0 pwdMaxAge: 0 pwdLockout: FALSE However, I do not see this dn referenced on the user: # importantuser, Service Accounts, domain dn: uid=importantuser,ou=Service Accounts,domain objectClass: top objectClass: account objectClass: posixAccount objectClass: extensibleObject uid: binduser cn: bind sn: user givenName: binduser title: Account loginShell: /dev/null uidNumber: 123 gidNumber: 456 homeDirectory: /dev/null description: Service Account userPassword:: password123 When I try to add using ldapadd and this ldif: dn: uid=importantuser,ou=Service Accounts,domain changetype: modify add: pwdPolicySubentry pwdPolicySubentry: cn=CustomBindAccountPolicy,ou=Policies,dc=davinci,dc=med,dc=cornell,dc=edu I get this error: me@nsa[~/ldap]$ ladd server.ldif Enter LDAP Password: modifying entry "uid=importantuser,ou=Service Accounts,domain" ldap_modify: Type or value exists (20) additional info: modify/add: pwdPolicySubentry: value #0 already exists Do you have any idea what could be happening? My ACL's allow the binduser to see everything so I don't understand what's happening. Thank you very much! Thanks, Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: doug(a)med.cornell.edu O: 212-746-6305 F: 212-746-8690

2 1

How do internet-facing, multi-domain ldap servers handle TLS?
by John Lewis 20 Oct '17

20 Oct '17

How do internet-facing, multi-domain ldap servers handle TLS? Do they go multi-port or do they use one TLS certificate that covers all of the domains, or do they get more IP addresses that are all on different domains?

1 0

Re: Antw: Re: [Q] amendments to schemes existent
by Zeus Panchenko 20 Oct '17

20 Oct '17

Ulrich Windl <Ulrich.Windl(a)rz.uni-regensburg.de> wrote: > But you are basically changing the semantics of attribute authorizedService: > Before "*" was literal, after it is magic (substring match). > > The discussion on which variant is more useful is a different issue ;-) for *my* flow, the variant of original schema is unusable since I have pleny of values and to hardcode all of them for all available searches is not good idea, to my mind ... if to return to the starting question: is there other way to get originally SUBSTR-less attributes to be matchable by substring, except hacking the scheme? -- Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET)

2 4

ldapsearch and inherit attributes
by Sylvain 19 Oct '17

19 Oct '17

Hi, If "AAA" is the superior attribute of "BBB" and if I do ldapsearch uid=sylvain AAA. Results will include BBB attributes. Is this possible for ldapsearch to return only AAA ? Thanks, Sylvain

1 0

[Q] amendments to schemes existent
by Zeus Panchenko 18 Oct '17

18 Oct '17

greetings, I'm wondering of search possibility lack for some attributes my question is: is it correct/good/sane/e.t.c. to patch them this way? is there other way to get those attributes searchable? for example I have to patch some schemes like this: ---[ PATCH SAMPLES START ]--------------------------------------------------- --- dhcp.schema.orig 2017-08-25 13:14:26.691570000 +0300 +++ dhcp.schema 2017-08-25 13:15:56.558980000 +0300 @@ -14,6 +14,7 @@ attributetype ( 2.16.840.1.113719.1.203. NAME 'dhcpStatements' EQUALITY caseIgnoreIA5Match DESC 'Flexible storage for specific data depending on what object this exists in. Like conditional statements, server parameters, etc. This allows the standard to evolve without needing to adjust the schema.' + SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 2.16.840.1.113719.1.203.4.4 @@ -38,6 +39,7 @@ attributetype ( 2.16.840.1.113719.1.203. NAME 'dhcpOption' EQUALITY caseIgnoreIA5Match DESC 'Encoded option values to be sent to clients. Each value represents a single option and contains (OptionTag, Length, OptionValue) encoded in the format used by DHCP.' + SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 2.16.840.1.113719.1.203.4.8 @@ -199,6 +201,7 @@ attributetype ( 2.16.840.1.113719.1.203. attributetype ( 2.16.840.1.113719.1.203.4.34 NAME 'dhcpHWAddress' EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch DESC 'The clients hardware address that requested this IP address.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) --- ldapns.schema.orig 2014-09-15 23:47:56.135989000 +0300 +++ ldapns.schema 2015-02-15 23:50:53.714906292 +0200 @@ -1,6 +1,7 @@ attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService' DESC 'IANA GSS-API authorized service name' EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject' --- nis.schema.orig 2017-02-11 21:38:48.984906000 +0200 +++ nis.schema 2017-10-02 13:20:52.140691000 +0300 @@ -55,6 +55,7 @@ attributetype ( 1.3.6.1.1.1.1.2 NAME 'ge attributetype ( 1.3.6.1.1.1.1.3 NAME 'homeDirectory' DESC 'The absolute path to the home directory' EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.4 NAME 'loginShell' ---[ PATCH SAMPLES STOP ]--------------------------------------------------- -- IT dpt., I.B.S. LLC

2 2

[ldapmodify] multiple entries of the same attibute
by richard lucassen 18 Oct '17

18 Oct '17

Hello list, I've got records with e.g. multiple mail: entries per dn: dn: cn=Joe Sixpack,ou=addressbook,dc=example,dc=org [ 8< 8< 8< snip objectclasses and other stuff 8< 8< 8< ] mail: user1(a)example.com mail: user2(a)example.com mail: user3(a)example.com GUI ldap clients like jxplorer are able to change a single mail: entry. Using "ldapmodify" I replace the first mail: entry, but it will delete the other mail: antries: ################################################################# change.diff file: dn: cn=Joe Sixpack,ou=addressbook,dc=example,dc=com changetype: modify replace: mail mail: otheruser(a)example.com - ################################################################# invoke: ldapmodify -x -D "cn=admin,dc=example,dc=com" -W -f change.ldif ################################################################# result: dn: cn=Joe Sixpack,ou=addressbook,dc=example,dc=org [ 8< 8< 8< snip objectclasses and other stuff 8< 8< 8< ] mail: otheruser(a)example.com ################################################################# Is there a way to tell ldapmodify to change just a particular entry? R. -- richard lucassen http://contact.xaq.nl/

4 6

Re: Empty directory memory consumption
by Quanah Gibson-Mount 18 Oct '17

18 Oct '17

--On Wednesday, October 18, 2017 5:04 PM +1300 Ivan Kurnosov <zerkms(a)zerkms.ru> wrote: > I have found, that just installed slapd (2.4.42+dfsg-2ubuntu3.2) on > ubuntu 16.04 consumes 730MB+ or resident memory (RSS). Only consumes 12 MB on my Ubuntu 16.04 system. But I don't use the build supplied by Ubuntu, I use my own. So I cannot say what Ubuntu's done to cause this. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Empty directory memory consumption
by Ivan Kurnosov 17 Oct '17

17 Oct '17

Hi, I have found, that just installed slapd (2.4.42+dfsg-2ubuntu3.2) on ubuntu 16.04 consumes 730MB+ or resident memory (RSS). It's an empty database (with `cn=config` only and whatever comes by default), is it supposed to consume so much memory? -- With best regards, Ivan Kurnosov

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical