openldap-technical

openldap-technical@openldap.org

4 participants
9898 discussions

Re: Attribute map/substitution
by Quanah Gibson-Mount 28 Sep '17

28 Sep '17

--On Wednesday, September 27, 2017 11:53 AM +0200 Ervin Hegedüs <airween(a)gmail.com> wrote: > The problem is, that (for example) ntPassword and lmPassword attributes > are doesn't exists (sAMAccountName and objectSid also...). > > I thing that the ntPassword is the sambaNTPassword, which is part of the > samba.scheme. > > But how can I configure the OpenLDAP to server these attributes? The larger question is, does it actually need those attributes to function? If so, then you'll need to find schema defining them, add that schema to your OpenLDAP server, and then populate them. It may well not *require* them to be present in the entry (for example, it looks at all of: ntPassword, lmPassword, userPassword). My guess would be that as long as it can access one of those it is fine. However, the fact that it's trying to get a value back for a password shows that the piece of software is poorly written and should be avoided. There's zero reason for it to have read access to a password attribute. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: need an example of using "ldap_search_s" function using the "attr" parameter.
by Quanah Gibson-Mount 28 Sep '17

28 Sep '17

--On Monday, September 25, 2017 11:56 PM +0000 Don jessup <djessup72(a)yahoo.com> wrote: > To limit the information coming back from the server I only want the > values of the "sAMAccountName" attribute. Every time I try populating > the "attrs" parameter I get an error. I was wondering if I could be > pointed to an example or 2 that uses the parameter. ldap_search_s is deprecated, you should be using ldap_search_ext_s instead. However, libraries/libldap/sasl.c has a trivial example of using attrs with ldap_search_s: char *attrs[] = { "supportedSASLMechanisms", NULL }; rc = ldap_search_s( ld, "", LDAP_SCOPE_BASE, NULL, attrs, 0, &res ); --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

meta backend , rwm AD source , uppercase to lowercase
by Nicolas Renault 28 Sep '17

28 Sep '17

Hello, My question, I have a meta backend that work perfectly but on the dev team somebody ask me : Why on AD this organizationalUnit have these valuies on attrs : managedBy: CN=Surname Name,OU=Users,DC=domain,DC=fr seeAlso: CN=Sunrame2 Name2,OU=Users,DC=domain,DC=fr and on meta on the same OU : managedBy: cn=surname name,ou=Users,ou=meta,dc=domain,dc=fr seeAlso: cn=Surname2 Name2,ou=Users,ou=META,dc=domain,dc=fr the AD is "bind" to ou=META,dc=domain,dc=fr ( suffixemassage) all OU on meta have the same behavior so * why on managedBy attr all is modified in lowercase and only CN and OU on seeAlso ? * how work uppercase to lowercase with meta backend ? is overlay rwm implicated ? my meta backend config is very long but somme informations moduleload back_meta moduleload rwm moduleload valsort moduleload memberof moduleload dynlist moduleload sssvlv.so moduleload collect moduleload pcache moduleload back_monitor moduleload back_ldap moduleload back_mdb overlay rwm rwm-rewriteEngine on rwm-normalize-mapped-attrs yes ... lot of rewrite rules etc. version : @(#) $OpenLDAP: slapd 2.4.44 $ opensuse-buildservice(a)opensuse.org openSUSE Leap 42.2 thanks for your answers. Nicolas

1 0

Re: Locker killed to resolve a deadlock
by Quanah Gibson-Mount 27 Sep '17

27 Sep '17

--On Wednesday, September 27, 2017 3:05 PM +0900 Jorgen Lundman <lundman(a)lundman.net> wrote: > we have told it to syncrepl from scratch into an empty > directory. Catastrophically bad idea with OpenLDAP 2.4.36. You may want to read over the various sync issues that have been fixed since that release (Current release is 2.4.45). The only safe way for you to reload another server will be slapcat/slapadd. Generally, I'd strongly advise upgrading to a current release and switching to back-mdb, eliminating BDB entirely. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Attribute map/substitution
by Ervin Hegedüs 27 Sep '17

27 Sep '17

Hi folks, here is a Captive Portal (from Aruba), and we would like to integrate it with OpenLDAP tu authenticate users (for 802.1x). The server is a Debian 8, with OpenLDAP 2.4. I've set up the loglevel, and I see the query in the log: Sep 27 09:56:50 srv slapd[19709]: filter: (&(uid=airween)(objectClass=*)) Sep 27 09:56:50 srv slapd[19709]: attrs: Sep 27 09:56:50 srv slapd[19709]: ntPassword Sep 27 09:56:50 srv slapd[19709]: lmPassword Sep 27 09:56:50 srv slapd[19709]: radiusReplyMessage Sep 27 09:56:50 srv slapd[19709]: radiusFilterId Sep 27 09:56:50 srv slapd[19709]: userPassword Sep 27 09:56:50 srv slapd[19709]: userCertificate Sep 27 09:56:50 srv slapd[19709]: sAMAccountName Sep 27 09:56:50 srv slapd[19709]: objectSid Sep 27 09:56:50 srv slapd[19709]: The problem is, that (for example) ntPassword and lmPassword attributes are doesn't exists (sAMAccountName and objectSid also...). I thing that the ntPassword is the sambaNTPassword, which is part of the samba.scheme. But how can I configure the OpenLDAP to server these attributes? I've found the slapo-rwm manpages, but nothing more useful informations... Could anybody helps to explain, how rwm's works? What do I need to do with this OpenLDAP (eg. modify the existing config) to solve that problem? On CP side there isn't any way to change the attributes - as I saw. Thanks, a.

1 0

Re: Locker killed to resolve a deadlock
by Quanah Gibson-Mount 27 Sep '17

27 Sep '17

--On Tuesday, September 26, 2017 9:56 AM +0900 Jorgen Lundman <lundman(a)lundman.net> wrote: > > Unfortunately, this is not our experience - although it is possible the > message is just a distraction. > > slapd stops all syncrepl, and responding, until they call us to restart > it. Interesting, I wonder if the BDB database has corrupted. Have you tried rebuilding the database(s) on the system via slapcat/slapadd? --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

Re: Locker killed to resolve a deadlock
by Quanah Gibson-Mount 26 Sep '17

26 Sep '17

--On Friday, September 22, 2017 4:26 PM +0900 Jorgen Lundman <lundman(a)lundman.net> wrote: > This has started to cause trouble, in the last month or so. The errors > are: > > Sep 22 06:08:26 vmx02 slapd[14039]: [ID 960831 local4.debug] => > bdb_idl_delete_key: c_get failed: DB_LOCK_DEADLOCK: Locker killed to > resolve a deadlock (-30994) These can be safely ignored. See <http://www.openldap.org/lists/openldap-software/200810/msg00055.html> --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

need an example of using "ldap_search_s" function using the "attr" parameter.
by Don jessup 26 Sep '17

26 Sep '17

I trying to use the "ldap_serach_s" function and my filter works great if put NULL in for the "attrs" parameter. Here is example filter [(&(member=cn=Bob,ou=colo,dc=bigco,dc=com,dc=local)(objectCategory=Group))] To limit the information coming back from the server I only want the values of the "sAMAccountName" attribute. Every time I try populating the "attrs" parameter I get an error. I was wondering if I could be pointed to an example or 2 that uses the parameter. ThanksDon

1 0

Re: slapd: null_callback : error code 0x14
by Quanah Gibson-Mount 25 Sep '17

25 Sep '17

--On Friday, September 22, 2017 10:15 PM -0700 "Paul B. Henson" <henson(a)acm.org> wrote: > I see there was a proposed patch posted on 8/25 that's been applied to > RE24, I'll add that to my system and see if the issue goes away. Am I > correct in my assumption that the patch only needs to be applied to the > system that is receiving the updates? I believe that is correct. :) --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: Olc deployment vs slapd.conf based deployment
by Howard Chu 25 Sep '17

25 Sep '17

Peter wrote: >> olcSchemaFile: {0}include: file://$ABS_SCHEMADIR/core.ldif >> olcSchemaFile: {1}include: file://$ABS_SCHEMADIR/cosine.ldif >> olcSchemaFile: {2}include: file://$ABS_SCHEMADIR/inetorgperson.ldif > > That is a very nice proposal, it would sort of give us the good things of both > worlds. It means you would not be able to edit the schema contained within these directives over LDAP, since those elements aren't themselves part of the cn=config DIT. So no, it's not the good things of both worlds. > IMHO schema is the only thing where cn=config makes life harder than slapd.conf. > > Being a long time lurker on this list it is fun to see that although same > subjects like config alternatives, turn up again and again, the arguments and > solution proposals at least sometimes do progress. > > Cheers > > Peter > > > > Am 15.09.2017 um 20:33 schrieb Quanah Gibson-Mount: >> --On Friday, September 15, 2017 12:24 PM -0700 Ryan Tandy <ryan(a)nardis.ca> >> wrote: >> >> >>> There was some talk, either in IRC or on -devel, of creating a way for >>> cn=config to reference schema files (possibly LDIF) on disk rather than >>> importing them into the config database. I think that would be an >>> improvement. Importing schemas into cn=config is cool - especially if you >>> want to replicate the config - but I'm not sure it's a good default. >> >> Since ordering is mandatory, it would be nice if you could just do something >> like: >> >> olcSchemaFile: {0}include: file://$ABS_SCHEMADIR/core.ldif >> olcSchemaFile: {1}include: file://$ABS_SCHEMADIR/cosine.ldif >> olcSchemaFile: {2}include: file://$ABS_SCHEMADIR/inetorgperson.ldif >> >> >> etc. Then you could change the schema files on disk, and cn=config would >> just load them in when it started. It'd certainly make the behavior >> analagous to slapd.conf, and allow for easier rollback/testing. >> >> --Quanah >> >> >> -- >> >> Quanah Gibson-Mount >> Product Architect >> Symas Corporation >> Packaged, certified, and supported LDAP solutions powered by OpenLDAP: >> <http://www.symas.com> >> >> > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

2 1

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical