openldap-technical

openldap-technical@openldap.org

1 participants
9868 discussions

translucent overlay and "orphaned" local entry when remote entry moves
by Steve Eckmann 14 Jun '13

14 Jun '13

Is there a standard way to recover a local entry when its proxied entry is moved, that is, when a remote DN changes? It looks like the local entry and its attribute values become inaccessible via ldapsearch. I found the orphaned entry in the output of slapcat, but the man page warning about stopping slapd before running slapcat makes that seem like an impractical way to find and recover the orphans. Thank you.

2 2

What version of OpenSSL is required for OpenLDAP 2.4.35
by Ashwin Kumar 14 Jun '13

14 Jun '13

I am compiling OpenLDAP 2.4.35 with OpenSSL 1.0.0a. The compilation and building the library works fine. However, when I am using the OpenLDAP client "ldapsearch" the tool fails with these errors: [root@xMachine openldap-2.4.35]# ./ldaplib/bin/ldapsearch -H ldaps:// 192.168.1.51:10636 -d 5 ldap_url_parse_ext(ldaps://192.168.1.51:10636) ldap_create ldap_url_parse_ext(ldaps://192.168.1.51:10636/??base) ldap_pvt_sasl_getmech ldap_search put_filter: "(objectclass=*)" put_filter: simple put_simple_filter: "objectclass=*" ldap_build_search_req ATTRS: supportedSASLMechanisms ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 192.168.1.51:10636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.1.51:10636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:error in SSLv3 read server hello B TLS trace: SSL_connect:error in SSLv3 read server hello B TLS: can't connect: error:1411809D:SSL routines:SSL_CHECK_SERVERHELLO_TLSEXT:tls invalid ecpointformat list. ldap_msgfree ldap_err2string ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) additional info: error:1411809D:SSL routines:SSL_CHECK_SERVERHELLO_TLSEXT:tls invalid ecpointformat list 1. Why does this happen? 2. Is it the issue with the OpenSSL 1.0.0a? 3. What is the minimum version of OpenSSL required to build the LDAP clients? -- Ashwin kumar (http://ashwinkumar.me)

2 1

password policy error: Password policy only allows one password value
by Joke de Buhr 14 Jun '13

14 Jun '13

Hi, I activated the password policy overlay but every time I try to update the password using ldappassw I get this error message: SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 Result: Constraint violation (19) Additional info: Password policy only allows one password value The user account has it attribute pwdPolicySubentry set to the policy listed below. The original account had multiple userPassword values with different hashes but I deleting every attribute userPassword but the last one didn't help. Deleting all userPassword attributes didn't work either. ldappasswd always returns the error. Any idea what causes the problem or what setting to check? Regards Joke ----------------------------------------------------------------------------- dn: cn=person,ou=policies,dc=seiken,dc=de objectClass: top objectClass: person objectClass: pwdPolicy cn: person pwdAttribute: userPassword sn: -none- description: password policy designed for real people logins pwdAllowUserChange: TRUE pwdCheckQuality: 1 pwdExpireWarning: 2592000 pwdFailureCountInterval: 5 pwdGraceAuthNLimit: 3 pwdInHistory: 5 pwdLockout: TRUE pwdLockoutDuration: 3600 pwdMaxAge: 7776000 pwdMaxFailure: 60 pwdMinAge: 0 pwdMinLength: 5 pwdMustChange: TRUE pwdSafeModify: FALSE -----------------------------------------------------------------------------

1 1

Re: openldap-technical Digest, Vol 67, Issue 12
by Mark Molenda 13 Jun '13

13 Jun '13

It's been awhile since I've messed with this but this sounds like a classic directory chaining or LDAP referral, where the LDAP client does not find the user and automatically refers the client to the directory having the entry. ============================ Message: 1 Date: Wed, 12 Jun 2013 09:20:56 -0500 From: Jason Brandt <jbrandt(a)fsmail.bradley.edu> To: openldap-technical(a)openldap.org Subject: OpenLDAP Proxy for Active Directory Authentication Message-ID: <CAJ-t26o1=bEWUuv4xeveTNG37jqD-hWCoGbSpofU4fCiywAiiw(a)mail.gmail.com> Content-Type: text/plain; charset="iso-8859-1" We run in a mixed environment, with both Active Directory and LDAP directory servers. Some users exist in both LDAP and AD, while some are just in AD. As such, we always have obstacles with password sync between directories. Is it possible, to set up an OpenLDAP proxy (if that's the correct term), which would authenticate via Active Directory if the user exists there (or if a flag is present in the LDAP entry, etc), otherwise via LDAP if the user is not an AD user, thereby eliminating the need to store the password in both directories? Directory information would otherwise

1 0

How can OpenLDAP client process on FreeBSD authenticate a web user with active directory
by Ganesh Borse 13 Jun '13

13 Jun '13

Dear Friends I am new to OpenLDAP. We are migrating our application (integrated with webserver) from Windows to FreeBSD. However, this is adding a bit of a problem. Previously, I used Microsoft SSPI authentication loop mechanism to authenticate the users connecting from GUI client (launched from computers in MS active directory) to our application. AD authentication helped avoid maintaining separate passwords. Now, since we are moving to FreeBSD and web based interface, it is difficult to use the same SSPI mechanism and so, the users connecting to this application from web browser can be authenticated using the AD credentials. The function ldap_bind_s requires explicit password when connecting to directory server using a username other than logged in user. Also, pass-through authentication mechanism (14.5) outlined in OpenLDAP-Admin-Guide cannot be used as it is for slapd. Thus, can you please help me know, how can I authenticate a user configured in AD and connecting from web browser running on a computer in AD using openLDAP client on FreeBSD? I want to avoid maintaining or passing passwords on FreeBSD. Many thanks in advance for your time and help. Thanks and Regards, - ganesh

3 4

LMDB: MDB_MAP_FULL doesn't allow deletions
by Jeremy Bernstein 12 Jun '13

12 Jun '13

Hi OpenLDAP-Technical, First post, thanks in advance for any assistance. I am trying to manage database size for an application in which a fixed DB size is necessary (user-specified and these users are ornery). My preferred strategy is: - write to the DB until it's (nearly?) full - at that point, prune entries matching a certain criteria (either deleting them or backing them up to an auxiliary DB of some sort). I have all of this working, in fact, except that once I hit MDB_MAP_FULL on mdb_put(), I can no longer do anything with the DB, including deleting records. mdb_cursor_del() also returns MDB_MAP_FULL at that point. If I had some idea of when the DB was nearly full, I could do my pruning prophylactically, I guess. Resizing the database upward isn't really a solution, given the constraints of this particular application. Some other observations: - on OSX (BSD?), if I do not set MDB_WRITEMAP in mdb_env_open(), MDB_MAP_FULL is _never_ returned, even when the DB is full. Setting MDB_WRITEMAP disables DB sparseness, though (so my 64MB-mapsize db with one record is 64MB on disk). Bug or feature? - on Windows, the database size is always the same as the mapsize. Possibly there's simply no support for sparse MM files on Windows, but I thought it's worth checking. OK, that's enough for the first post, thanks once again for any insight. Jeremy Bernstein

2 10

Getting Openldap to Trigger Events On Add
by Bram Cymet 12 Jun '13

12 Jun '13

Hi, I am wondering if it is possible to have OpenLDAP trigger a script anytime something is added to the ldap tree. For example after a user entry is added to the tree I would like to run some commands to create a kerberos principle for that user. A user will always be "Kerberized" so it would be continent to just have this happen automatically. -- Bram Cymet Software Developer Canadian Bank Note Co. Ltd. 613-608-9752

2 1

OpenLDAP Proxy for Active Directory Authentication
by Jason Brandt 12 Jun '13

12 Jun '13

We run in a mixed environment, with both Active Directory and LDAP directory servers. Some users exist in both LDAP and AD, while some are just in AD. As such, we always have obstacles with password sync between directories. Is it possible, to set up an OpenLDAP proxy (if that's the correct term), which would authenticate via Active Directory if the user exists there (or if a flag is present in the LDAP entry, etc), otherwise via LDAP if the user is not an AD user, thereby eliminating the need to store the password in both directories? Directory information would otherwise be pulled from the LDAP server, not from Active Directory.

2 3

Design of assertion control filter
by Dieter Klünter 10 Jun '13

10 Jun '13

Hi, following search shows correct results: ldapsearch -Y EXTERNAL -H ldapi:/// \ -b "cn=billy kid,ou=tombstone,o=avci,c=de" -s base \ "(l:caseExactmatch:=Tombstone)" sn l # LDAPv3 # base <cn=billy kid,ou=tombstone,o=avci,c=de> with scope baseObject # filter: (l:caseExactmatch:=Tombstone) # requesting: sn l # # Billy Kid, tombstone, avci, de dn: cn=Billy Kid,ou=tombstone,o=avci,c=de sn: Kid l: Tombstone # search result # numResponses: 2 # numEntries: 1 changing the filter to (l:caseExactmatch:=tombstone) shows the expected results # search result search: 2 result: 0 Success Now a search with assertion control allways shows error 122 ldapsearch -YEXTERNAL -e assert='l=Tombstone'-H ldapi:/// -b "cn=Billy Kid,ou=tombstone,o=avci,c=de" -s base sn l LDAPv3 # base <cn=Billy Kid,ou=tombstone,o=avci,c=de> with scope baseObject # filter: (objectclass=*) # requesting: ldapi:/// sn l # # search result search: 2 result: 122 Assertion Failed The same applies to an extended assertion filter ldapsearch -YEXTERNAL -e assert='l:caseExactmatch:=Tombstone' -H ldapi:/// -b "cn=Billy Kid,ou=tombstone,o=avci,c=de" -s base sn l # search result search: 2 result: 122 Assertion Failed What is wrong with this assertion filter? -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E

3 3

migrating from SUN one C SDK to openldap C sdk (Linux).
by Far a 10 Jun '13

10 Jun '13

As part of Solaris to Linux migration, I am planning to migrate my application that uses SUN one C SDK to openldap C sdk (Linux). I have various questions that I need to address at the beginning. I am hoping I can get some help over here. The questions are as follows * Can client use openldap C sdk (Linux) while the server is still on Sun one LDAP server. * Is there a list of dos and don'ts and list of possible issues for migrating from SUN one LDAP TO openldap on Linux . Regards farhad

5 14

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical