openldap-technical

openldap-technical@openldap.org

3 participants
9868 discussions

best practices for backing up ldap configuration
by Khosrow Ebrahimpour 19 Dec '12

19 Dec '12

Hello everyone, Are there any best practices for backing up ldap configuration? Our current approach is to run a nightly diff on the output of "slapcat -l -b cn=config' and if it has changed, the new ldif is comitted to svn. Ideally, I'd like to just add the slapd.d directory to svn, and everytime it changes I'd checkin the new version. But I have a feeling that the ".svn" directories that will be created are going to cause trouble. Is there better way of doing this? Thanks, -- Khosrow

7 13

Doe's olcAuthzRegexp rules applied on the all incoming authentication requests?
by Tio Teath 18 Dec '12

18 Dec '12

Are olcAuthzRegexp rules applied on the all incoming authentication requests, or on the SASL request only? And what exactly loglevel shows those rules processing? I've tried all of them , and any showed me olcAuthzRegexp processing.

1 0

EXTERNAL mech missing
by Emmanuel Dreyfus 18 Dec '12

18 Dec '12

Hi When is the EXTERNAL mech proposed? I want to use peercred on a slapd instance, but EXTERNAL is not available: $ ldapsearch -xLLLH ldapi:/// -s base -b '' supportedSASLMechanisms dn: supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: PLAIN supportedSASLMechanisms: LOGIN I have other machines when it shows up without a hassle. Where is the setting that cause it to be proposed? -- Emmanuel Dreyfus manu(a)netbsd.org

3 7

Re: Bulk update
by anil beniwal 18 Dec '12

18 Dec '12

Hi Quanah Thanks a lot. We can't change ldap version now. As we are about to GoLive. On Mon, Dec 17, 2012 at 10:14 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > --On Monday, December 17, 2012 10:59 AM +0530 anil beniwal < > beni.anil(a)gmail.com> wrote: > > >> Hi >> >> We want to update bulk records ( 3 million ) insert in my openldap >> 42.4.20 on rhel 6.3 . Three servers in replication. >> >> Each record is almost 6 KB. >> >> My concern, is there any tool or trick to speed this up. As of now for >> some 9 K records its taking around 3 hours. >> >> What should be my DB_CONFIG file . >> >> >> Please let me know what else should be taken care off. >> > > a) Upgrade to a sane, stable version of OpenLDAP < > http://ltb-project.org/wiki/**download#openldap<http://ltb-project.org/wiki/download#openldap> > > > b) Use -q with slapadd > c) Ensure your tool threads setting is appropriate for the number of > cpu/cores on your server > d) Read over <https://wiki.zimbra.com/wiki/**OpenLDAP_Performance_Tuning#* > *Configuring_the_Berkeley_DB_**subsystem_to_increase_LDAP_** > server_performance<https://wiki.zimbra.com/wiki/OpenLDAP_Performance_Tuning#Configuring_the_Be…>> > and apply it to your setup. In particular, if you have plenty of RAM, use > a shared memory key, and set the DB_CONFIG cachesize to a large value. > --Quanah > > > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration > -- Thanks&Regards Anil Beniwal

1 0

DB_LOG_AUTOREMOVE not working without restarting the server.
by Bheeshma SM 17 Dec '12

17 Dec '12

Hi I am using the latest Openldap. Software- Openldap 2.4.33 Server - RHEL 5.8 64 bit When i do an Ldapsearch, Ldapadd, Ldapdelete , the log.00000000x files are getting generated in the directory folder. To auto remove them i did add the " set_flags DB_LOG_AUTOREMOVE " to the DB_CONFIG file which is present in the directory folder itself. And I am using crontab to add the new data on the daily bases, but the log.00000000x files which are generated are not being auto removed..? Can anyone help me regarding this issue..? Is there a need to restart the server before adding the new data on the daily bases..? If so why is it so..? Thanks bhee

1 0

Bulk update
by anil beniwal 17 Dec '12

17 Dec '12

Hi We want to update bulk records ( 3 million ) insert in my openldap 42.4.20 on rhel 6.3 . Three servers in replication. Each record is almost 6 KB. My concern, is there any tool or trick to speed this up. As of now for some 9 K records its taking around 3 hours. What should be my DB_CONFIG file . Please let me know what else should be taken care off. -- Thanks&Regards Anil Beniwal

2 1

openldap shared address book + outlook 2010.
by Sandeep 17 Dec '12

17 Dec '12

HI, I am configuring a shared address book using Centos 6.3 openldap-2.4.23-26 Configuration is working with Thunderbird. but when checked with Outlook, I need to select advance find to get the list. Names only option remains unavailable. Any pointer ? Thanks Sandeep

3 2

Re: opeLDAP + backsql + salted_hashed_password, how to adopt the mappings
by Dan White 17 Dec '12

17 Dec '12

>>On 12/16/12 12:04 +0100, DavidHornung wrote: >>>I have to say thank you! I changed in the table >>>ldap_attr_mappings the value of userPassword from >>>persons.password >>> >>>to >>>text('{CRYPT}'||persons.password) >>> >>>Now I am able to auth again the salted MD5 passwords! >>> >>>One further question: >>>I tried to use blowfish >>>UPDATE persons SET password = crypt('secret', gen_salt('bf')); >>>instead of md5 >>>UPDATE persons SET password = crypt('secret', gen_salt('bf')); >>> >>>but i could not authenticate, what could be the problem? >> >>Check your local manpage for crypt(3) to see if blowfish is supported on >>your system, and that the ID matches the postgresql output. >> > >Yes, it gives > > ID | Method >--------------------------------------------------------- > 1 | MD5 > 2a | Blowfish (not in mainline glibc; added in some > | Linux distributions) > 5 | SHA-256 (since glibc 2.7) > 6 | SHA-512 (since glibc 2.7) > > >and the 2a is also given back from postgresql crypt When using the '{CRYPT}' identifier, you're telling slapd to make a 'crypt' system call to verify the hash. If that is failing for blowfish (but working for md5), that indicates that your problem is likely with how glibc was compiled on your system. Check with your distribution's glibc maintainer to verify they have included blowfish support (for the crypt call). -- Dan White

1 0

Ldap server Behind Firewall
by Hugo Deprez 17 Dec '12

17 Dec '12

Hello, I am currently running OpenLdap behind a checkpoint firewall. Some hosts are reaching the LDAP server, but the source IP is NAT Hide. (original IP is 192.168.0.1 - translated 192.168.1.2). I can see on my firewall many drops coming from the LDAP server to the translated IP. This kind of packet shouldn't exist, as I am using corosync for HA => No packet are coming from the VIP. This maybe a problem on the checkpoint firewall (which is not handling correctly the NAT), but I would like to know if someone already had this behaviour already with any firewall ? Maybe I am missing something on OpenLDAP network flow. Best regards, Hugo

1 0

Re: opeLDAP + backsql + salted_hashed_password, how to adopt the mappings
by Dan White 16 Dec '12

16 Dec '12

>On 12/16/12 08:55 +0100, DavidHornung wrote: >>>I already set up a self-compiled openldap-server 2.4.33 on CentOS6 with >>>back-sql, especially posgtresql as backend. I am already able to >>>authenticate from my MoinMoin Wiki via LDAP - but up to now the >>>passwords are saved in clear text in the postgresql table. >>> >>>Now I want to save the passwords as salted hash, rearding to >>>postgresql documentation >>See chapter 14.4 of the OpenLDAP Administrator's Guide. >> >>If the output of your postgresql crypt function produces a compatible >>format, use a concatenation function to prepend '{CRYPT}' (or other >>identifier) to your hash before postgresql hands the data off to >>back-sql. On 12/16/12 12:04 +0100, DavidHornung wrote: >I have to say thank you! I changed in the table ldap_attr_mappings >the value of userPassword from >persons.password > >to >text('{CRYPT}'||persons.password) > >Now I am able to auth again the salted MD5 passwords! > >One further question: >I tried to use blowfish >UPDATE persons SET password = crypt('secret', gen_salt('bf')); >instead of md5 >UPDATE persons SET password = crypt('secret', gen_salt('bf')); > >but i could not authenticate, what could be the problem? Check your local manpage for crypt(3) to see if blowfish is supported on your system, and that the ID matches the postgresql output. -- Dan White

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical