openldap-technical

openldap-technical@openldap.org

1 participants
9898 discussions

EXOPs for PHP LDAP
by Côme Chilliet 21 Jul '17

21 Jul '17

Hello, I’m currently working on a PHP RFC to add EXOP handling to php-ldap. The draft is here: https://wiki.php.net/rfc/ldap_exop You are welcome to comment on any aspect of the RFC, but I would especially want to know: - Which are the EXOPs actually used by people out there? - Is there any EXOP using the responseName field? In the RFCs I read there is always something like «an ExtendedResponse where the responseName field is absent» or «The responseName field contains the same string as that present in the request.» Côme

2 7

Re: Limiting Search Results By Group Membership
by Douglas Duckworth 21 Jul '17

21 Jul '17

In the old openldap-servers-2.2.13-4 from which I copied this data: /etc/openldap/schema/nis.schema objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top STRUCTURAL DESC 'Abstraction of a group of accounts' MUST ( cn $ gidNumber ) MAY ( userPassword $ memberUid $ description ) ) attributetype ( 1.3.6.1.1.1.1.12 NAME 'memberUid' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) In /etc/openldap/schema/core.schema I do see: attributetype ( 2.5.4.31 NAME 'member' DESC 'RFC2256: member of a group' SUP distinguishedName ) As well as: objectclass ( 2.5.6.9 NAME 'groupOfNames' DESC 'RFC2256: a group of names (DNs)' SUP top STRUCTURAL MUST ( member $ cn ) MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) ) Am I rfc2307 or rfc2307bis? According to sssd-ldap man page: ldap_group_member (string) The LDAP attribute that contains the names of the group´s members. Default: memberuid (rfc2307) / member (rfc2307bis) I am currently using memberuid obviously so my clients can talk to the old server. Thanks so much for your needed assistance! Thanks, Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: doug(a)med.cornell.edu O: 212-746-6305 F: 212-746-8690 On Fri, Jul 21, 2017 at 12:23 PM, Quanah Gibson-Mount <quanah(a)symas.com> wrote: > --On Friday, July 21, 2017 10:53 AM -0400 Douglas Duckworth > <dod2014(a)med.cornell.edu> wrote: > > > limits > > group/posixGroup/memberUid="cn=admins,ou=group,dc=server,dc=domain" > > size=unlimited time=unlimited > > > > Though I am still hitting the limit. > > Hi Douglas, > > It would probably be worthwhile to dig into LDAP schema to understand > attribute definitions, matching rules, etc. > > To start, memberUid is a string type. It's not a DN type: > > attributetype ( 1.3.6.1.1.1.1.12 NAME 'memberUid' > EQUALITY caseExactIA5Match > SUBSTR caseExactIA5SubstringsMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) > > As opposed to member, which is specifically a DN type: > > attributetype: ( 2.5.4.31 NAME 'member' > DESC 'RFC2256: member of a group' > SUP distinguishedName ) > > attributetype: ( 2.5.4.49 NAME 'distinguishedName' > EQUALITY distinguishedNameMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) > > Regards, > Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <https://urldefense.proofpoint.com/v2/url?u=http- > 3A__www.symas.com&d=DwIFaQ&c=lb62iw4YL4RFalcE2hQUQealT9- > RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m= > kbjP16BBt5vXdPM9Whbvm854h6iISbROyp41L0OQ2lw&s=mC1OpgC- > KwREoe7aDfE6We28klGIEg6GvZBSzx-DiQE&e= > > >

1 0

Re: Limiting Search Results By Group Membership
by Quanah Gibson-Mount 21 Jul '17

21 Jul '17

--On Friday, July 21, 2017 10:53 AM -0400 Douglas Duckworth <dod2014(a)med.cornell.edu> wrote: > limits > group/posixGroup/memberUid="cn=admins,ou=group,dc=server,dc=domain" > size=unlimited time=unlimited > > Though I am still hitting the limit. Hi Douglas, It would probably be worthwhile to dig into LDAP schema to understand attribute definitions, matching rules, etc. To start, memberUid is a string type. It's not a DN type: attributetype ( 1.3.6.1.1.1.1.12 NAME 'memberUid' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) As opposed to member, which is specifically a DN type: attributetype: ( 2.5.4.31 NAME 'member' DESC 'RFC2256: member of a group' SUP distinguishedName ) attributetype: ( 2.5.4.49 NAME 'distinguishedName' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: Limiting Search Results By Group Membership
by Douglas Duckworth 21 Jul '17

21 Jul '17

Thanks. Yes, very helpful. For the group that lists our accounts I now have full DN dn: cn=admins,ou=group,dc=server,dc=domain objectClass: posixGroup objectClass: top cn: admins memberUid: uid=user,ou=accounts,dc=server,dc=domain slapd.conf: limits group/posixGroup/memberUid="cn=admins,ou=group,dc=server,dc=domain" size=unlimited time=unlimited Though I am still hitting the limit. Thanks, Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: doug(a)med.cornell.edu O: 212-746-6305 F: 212-746-8690 On Wed, Jul 19, 2017 at 6:25 PM, Quanah Gibson-Mount <quanah(a)symas.com> wrote: > --On Tuesday, July 18, 2017 4:32 PM -0400 Douglas Duckworth > <dod2014(a)med.cornell.edu> wrote: > > ># admins, group, ldap.server > > dn: cn=admins,dc=blah > > objectClass: posixGroup > > objectClass: top > > cn: admins > > memberUid: admin1 > > memberUid: admin2 > > > > Do you have any insight into what could be causing this behavior? I > > have not found the answer yet through extensive searching of the > > internets. > > Hi Douglas, > > The answer lies in the slapd.conf(5) man page, in the description of the > "limits" directive, specifically in this portion: > > "sets the limits for any DN listed in the values of the at attribute" > > memberUID does not contain a DN, therefore it cannot be used. Hope that > helps! > > Regards, > Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <https://urldefense.proofpoint.com/v2/url?u=http- > 3A__www.symas.com&d=DwIFaQ&c=lb62iw4YL4RFalcE2hQUQealT9- > RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m= > 91FmzFy5LT0oV9_Olhg0-lXej0TEADB8w4Tft72zqXs&s= > rnsVibsarNFQ1327v29L487KiPFGapoLz4PZ55l7Hsc&e= > > >

1 0

Re: OpenLDAP server sizing
by Quanah Gibson-Mount 21 Jul '17

21 Jul '17

--On Wednesday, July 19, 2017 7:18 PM +0000 "Edgar Sanchez Arenas (edgasanc)" <edgasanc(a)cisco.com> wrote: > > > Hello, > > > > Is there a guide to do server sizing (CPU, memory, HD) for OpenLDAP? Hi Edgar, What database backend technology do you plan on using. Do you know how much disk space your database will consume? How many anticipated clients? Anticipated read & write rate? etc. Generally, if you have slapd-mdb as your backend, then you want your RAM to be greater than the database size for optimal performance. For HD, it's generally recommended to use SSD. CPU's will depend on your anticipated read etc rates. I.e., substantially more information is necessary to really give any solid advice. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

Configuring OpenLDAP with a custom schema instead of default schemas
by Jon Smark 20 Jul '17

20 Jul '17

Hi, I'm new to OpenLDAP and I'm finding it hard to perform the initial configuration (a lot of the information I find online seems to pertain only to old versions of OpenLDAP, which used a different configuration system). Anyway, I have defined a schema file with the custom attributes and object classes relevant to my domain. Starting from a fresh installation of OpenLDAP 2.4.42 running on Ubuntu 16.04, I want to configure my Slapd server to *only* consider my schema file and to ignore all the other schemas it's configured to use by default. I thought it would be as simple as removing the old /etc/ldap/slapd.d and replacing it with the output of slaptest applied to my schema file. This doesn't work, unfortunately, because slapd refuses to start afterwords. I apologize if this question seems basic, but I'm stuck on this very first step and I've been unable to find an up-to-date tutorial on how to configure a recent OpenLDAP server from scratch (ie, without all the default schemas). Thanks in advance for your kind help! Regards, Jon

6 6

Re: Limiting Search Results By Group Membership
by Quanah Gibson-Mount 19 Jul '17

19 Jul '17

--On Tuesday, July 18, 2017 4:32 PM -0400 Douglas Duckworth <dod2014(a)med.cornell.edu> wrote: ># admins, group, ldap.server > dn: cn=admins,dc=blah > objectClass: posixGroup > objectClass: top > cn: admins > memberUid: admin1 > memberUid: admin2 > > Do you have any insight into what could be causing this behavior? I > have not found the answer yet through extensive searching of the > internets. Hi Douglas, The answer lies in the slapd.conf(5) man page, in the description of the "limits" directive, specifically in this portion: "sets the limits for any DN listed in the values of the at attribute" memberUID does not contain a DN, therefore it cannot be used. Hope that helps! Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: multi-value attribute rejected
by Quanah Gibson-Mount 19 Jul '17

19 Jul '17

--On Wednesday, July 19, 2017 7:51 PM +0100 Brad <braduk1973(a)gmail.com> wrote: > > > Thanks for the replies Michael and Quanah, appreciated. > > Here's some log output showing the content of one of the failed entries: > > cACertificate;binary: 308204423082032AA00302010202010... > cACertificate;binary: 3082039C30820284A00302010202010... > > Looks like the repeated cACertificate attributes do actually have > different values. May depend on the verification routines for CACertificate binary data. Do the two CA's have the same subject line? I haven't dug into the code yet to see how it does the comparison for these values, so it could be way off base. > (Note: apologies for any duplicate messages, I'm having issues getting my > posts to register with the mailing list) The list is moderated. It may just take a bit for a moderator to approve. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

OpenLDAP server sizing
by Edgar Sanchez Arenas (edgasanc) 19 Jul '17

19 Jul '17

Hello, Is there a guide to do server sizing (CPU, memory, HD) for OpenLDAP? Thank you, Edgar Sanchez

1 0

Limiting Search Results By Group Membership
by Douglas Duckworth 18 Jul '17

18 Jul '17

Hi Everyone, I am building a new LDAP v 2.4 cluster. We do not allow anonymous binds and set "sizelimit 1" for all users except our service account used for binding. limits dn.exact="uid=important,ou=sa,dc=blah" size=unlimited time=unlimited provides the bind account unlimited results. However, for group members, I am still hitting the "sizelimit 1" when trying: limits group/posixGroup/memberUid="cn=admins,dc=blah" size=unlimited time=unlimited Our group entry in LDAP: # admins, group, ldap.server dn: cn=admins,dc=blah objectClass: posixGroup objectClass: top cn: admins memberUid: admin1 memberUid: admin2 >From reading the slapd.conf man page, it seems we're not using the default objectclass "groupOfNames," or attribute "member," however when I use the defaults, or the above which exist in our directory, I still hit "sizelimit 1." Of course using dn.exact for our individual accounts works, though I don't want to touch slapd.conf every time we hire someone. Do you have any insight into what could be causing this behavior? I have not found the answer yet through extensive searching of the internets. Thanks, Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: doug(a)med.cornell.edu O: 212-746-6305 F: 212-746-8690

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical