openldap-technical

openldap-technical@openldap.org

5 participants
9899 discussions

Setting a whole subtree temporarily read-only based on an attribute?
by Peter Mogensen 31 Oct '12

31 Oct '12

Hi, I've been reading the slapd.access back and forth a few times in search for a way to make an ACL, which defines read (and only read) access to a whole subtree in the DIT based on the value of an attribute of the subtree root node. I've found out how to do it for a named user by defining a group attribute on the node like this: olcAccess: {2}to dn.regex="^.+,o=([^,]+),dc=example,dc=com" by group/NamedObject/denied.expand="o=$1,dc=example,dc=com" read by * +0 break But this only denies the named DNs write access. What I want to to deny everybody write access to everything below the o=$1 RDN. Conceptually I would also imagine, that this would belong in the <WHAT> clause of the ACL and not in the <WHO> clause, but I can't find any mechanism to do stuff like: access to dn.<which-have-attr-set-to-readonly>.children by * read What is the text-book way to do this? regards, Peter

1 0

Error : when create usermachine in LDAP
by rodrigo tavares 31 Oct '12

31 Oct '12

Hello, I try to create a computer in LDAP, come this message: Error in OpenLDAP recording computer.* What is wrong ? Rodrigo Faria

3 5

read/write password/... attributes from/in SQL DB directly
by Denny Schierz 31 Oct '12

31 Oct '12

hi, our usermanagement is running on a Postgres (later MariaDB) database and have some (cron)scripts, that push/delete the new users into the LDAP tree. If the user changes his password (passwd/linux) it is only written to the LDAP side and one other script, reads the new password out and writes it into the user mgt DB back. I want to ask: is there a way, to let LDAP read/write this or more attributes to the DB directly? We thought also to switch the dbdm to the mySQL backend, but I think, it isn't a good idea for ~4.000 active accounts and several netboot clients. cu denny

1 1

OpenLDAP - how to correct invalid cn values
by Whiteman, Craig 30 Oct '12

30 Oct '12

A bug in a PHP script<http://www.linuxquestions.org/questions/showthread.php?p=4813771> has caused some entries in the LDAP database<http://www.linuxquestions.org/questions/showthread.php?p=4813771> to have invalid values: # James + Bond, people, mi6.gov.uk dn: cn=James+sn=Bond,ou=people,dc=mi6,dc=gov,dc=uk sn: Bond givenName: James cn:: U3RldmUg gecos:: U3RldmUg As you can see, the cn: and gecos: have the invalid values - they should be James Bond. I did attempt to correct the problem with ldapmodify by putting the following into a file called updateCN.ldif: dn: cn=James+sn=Bond,ou=people,dc=mi6,dc=gov,dc=uk changetype:modify replace: cn cn: James Bond and executing the following command: ldapmodify -x -W -D "cn=admin,dc=mi6,dc=gov,dc=uk" -f updateCN.ldif This returned the following error Enter LDAP Password: modifying entry "cn=James+sn=Bond,ou=people,dc=mi6,dc=gov,dc=uk" ldap_modify: Naming violation (64) additional info: value of naming attribute 'cn' is not present in entry I have also tried ldapmodrdn: ldapmodrdn -r -f updateCN.ldif with updateCN.ldif: dn: cn=James Bond+sn=Bond,ou=people,dc=mi6,dc=gov,dc=uk cn=James Bond $ ldapmodrdn -r -f updateCN.ldif SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80) additional info: SASL(-13): user not found: no secret in database and ldapmodify -f updateCN.ldif with updateCN.ldif: dn: cn=James Bond+sn=Bond,ou=people,dc=mi6,dc=gov,dc=uk changetype: modrdn newrdn: cn=James Bond deleteoldrdn: 1 $ ldapmodify -f updateCN.ldif SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80) additional info: SASL(-13): user not found: no secret in database How can I correct the invalid values in the LDAP database? THINK BEFORE YOU PRINT====================================================================== The information contained in this email is intended only for the individual to whom it is addressed. It may contain legally privileged or confidential information or otherwise be exempt from disclosure. If you have received this message in error or there are any problems, please notify the sender immediately and delete the message from your computer. YOU MUST NOT use, disclose, copy or alter this message for any unauthorized purpose. Neither Electricity North West Limited nor any of its subsidiaries will be liable for any direct, special, indirect or consequential damages as a result of any virus being passed on, or arising from the alteration of the contents of this message by a third party. Electricity North West Limited 304 Bridgewater Place, Birchwood Park Warrington WA3 6XG, Registered in England and Wales Registration No 02366949 ===========================================================================================

3 4

max. numbers of subordinate databases
by Dieter Klünter 29 Oct '12

29 Oct '12

Hello, I have a strange requirement to setup a Server with as much as possible subordinate databases. In a test environment I could create any number of databases, but a one level search presents the results of 27 databases and after this an internal error is reported. (thread_pool_setkey failed err (12)) I did this tests with back-hdb and back-mdb. Is there any way to increase the number of subordinate databases? -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E

2 1

[PATCH] ctrl & exop for PHP 5.3
by Emmanuel Dreyfus 29 Oct '12

29 Oct '12

Hello Quite some time ago, Pierangelo Masarati wrote a patch to brind ctrl and exop support to PHP. Unfortunately the patch was never checked in upstream and broke with PHP 5.3 I trieed to upgrade the patch for PHP 5.3 support. Here is my first attempt, which builds on PHP 5.3.17: http://ftp.espci.fr/shadow/manu/ldap-ctrl-exop-20121025.patch I successfully tested ldap_exop_passwd, ldap_exop_whoami, and ldap_refresh. Everything else was not tested and is broken without any doubt (zend_parse_parameters 3rd argument is wrong, it should probably be Z more often). Feel free to help, either by fixing the remaining bits, or by providing a test case for the broken parts (I never used controls and therefore I am not going to do it). -- Emmanuel Dreyfus manu(a)netbsd.org

4 3

Problem in sync-repling multiple databases
by Marco Pizzoli 29 Oct '12

29 Oct '12

Hi all, I'm using OL 2.4.33 and I'm trying to replicate a tree to an instace of OL 2.4.33 composed by multiple databases. My tree is something as this: - basedn - ou=ou1 - ou=ou2 - ou=ou3 If I have all my subtrees, on the master, served by a single db... then I can syncrepl to the consumer without problems. If my master is composed by separate databases (ou1, ou2, etc.. are all distinct databases), then the replica stops after completing the first one of them. So to recap: - single database to multiple database --> ok - multiple database to multiple database --> ko Is it a known problem? I read that it was as of OL 2.3, but also that it was fixed in OL2.4. My logs present no indication of any kind of problem, even at debug level. If I try to configure a second replica configration targeted directly to (in example) to ou=ou3, then that ou get replicated. Any help/advice is welcome. Thanks in advance as usual Marco

2 1

Newbie question about host base authentication
by Simone Scremin 29 Oct '12

29 Oct '12

Hi all, I'm in the process of learning the OpenLDAP authentication mechanics. I'd need to know what is the best way to configure an host based authentication system that allow to configure a per-user rule to include a group of host to which the user is allowed to login. In example: user Bob needs to authenticate on systems: sys01pra sys02pre sys03pra sys03pre some configuration on the LDAP server enable this hostnames for Bob with a regular expression like: sys0*pr* Is it feasable? Thanks Simone

5 7

Re: Newbie question about host base authentication
by Simone Scremin 29 Oct '12

29 Oct '12

Hi Olivier, thanks for the fast answer. I'm looking at pam_ldap component and I already saw the host based authentication that enables to list hostnames on the server per user. Your idea, if I'm not mistaken, would be to specify this host parameter as some kind of LDAP data structure (ie: groupOfNames) and have the authentication mechanism match on that structure. I'm looking at groupOfNames and it's not clear to me if it can really be used for that purpose but the most obscure point is where the logic for the matching should go. I'm really open to any input on this subject whether it is some example of already implemented solutions or just some direction on how to go forward with the development. Thank you Simone On Oct 29, 2012, at 2:40 PM, Olivier <ldap(a)guillard.nom.fr> wrote: > ---Previous mail sent accidently before ending (sorry for doublon)--- > > Feasable it is (there different ways to do that). > > BTW, I'm also interested to gather some input on that topic. > > @simone : I suggest that you look at pam mecanisms : > http://www.padl.com/OSS/pam_ldap.html > And more specifically at the access.conf syntax. > > You may be interested in : > Hosts, posix groups, group of names and netgroups > > > @list : I would appreciate some input from others about the > best way to store hosts in ldap for this kind of usage : > > Which container to use for hosts (structural class account? > device ? ... ) > > How to deal with groups of hosts : groupOfNames ? posixGroup ? > > Any advice ? > > Thanks, > > > 2012/10/29 Simone Scremin <simone.scremin(a)gmail.com>: >> Hi all, >> I'm in the process of learning the OpenLDAP authentication mechanics. >> I'd need to know what is the best way to configure an host based authentication system that allow to configure a per-user rule to include a group of host to which the user is allowed to login. >> >> In example: >> >> user Bob needs to authenticate on systems: >> >> sys01pra >> sys02pre >> sys03pra >> sys03pre >> >> some configuration on the LDAP server enable this hostnames for Bob with a regular expression like: >> >> sys0*pr* >> >> Is it feasable? >> >> Thanks >> >> Simone >>

1 0

compile 2.4.33 on AIX 6.1 with IBM vac - mdb.c - mdb_cursor_pop fails
by Howard Allison 25 Oct '12

25 Oct '12

Hi I've compiled openldap 2.4.33 on AIX 6.1 and had to edit the file libraries/libmdb/mdb.c. In mdb_cursor_pop I had to comment out the #if MDB_DEBUG directive to make *top visible. #if MDB_DEBUG */ MDB_page *top = mc->mc_pg[mc->mc_top]; /* #endif */ Is this something particular to xlc? Thanks Howard Allison -------------------------------------------------------------------------------------------------------- VERTRAULICHKEIT: Diese Nachricht ist ausschließlich für denjenigen bestimmt, an den sie adressiert ist und kann vertrauliche Informationen enthalten. Falls Sie nicht der Empfänger dieser Nachricht sind, weisen wir Sie darauf hin, dass die unberechtigte Weitergabe oder Verwendung sowie das unberechtigte Verteilen oder Kopieren dieser Nachricht strikt untersagt sind. Falls Sie diese Nachricht irrtümlich erhalten haben, vernichten Sie sie bitte sofort. CONFIDENTIALITY: This message is intended only for the use of the individuality or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure. If you are not the intended recipient you are notified that any dissemination, distribution, use or copying of this communication is strictly prohibited. If you received this message in error, please immediately destroy this message. --------------------------------------------------------------------------------------------------------

2 1

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical